Lecture Notes in Computer Science 1233 

Edited by G. Goos, J. Hartmanis and J. van Leeuwen 
Advisory Board: W. Brauer D. Gries J. Stoer 




Springer 

Berlin 

Heidelberg 

New York 

Barcelona 

Budapest 

Hong Kong 

London 

Milan 

Paris 

Santa Clara 

Singapore 

Tokyo 




Walter Fumy (Ed.) 



Advances in Cryptology 
EUROCRYPT ’97 



International Conference on the Theory and 
Application of Cryptographic Techniques 
Konstanz, Germany, May 11-15, 1997 
Proceedings 




Springer 




Series Editors 

Gerhard Goos, Karlsruhe University Germany 
Juris Hartmanis, Cornell University NY, USA 
Jan van Leeuwen, Utrecht University The Netherlands 



Volume Editor 
Walter Fumy 

Siemens AG, Corporate Technology 
Otto-Hahn-Ring 6, D-81730 Munich, Germany 
E-mail: walter.fumy@mchp.siemens.de 



Cataloging-in-Publication data applied for 



Die Deutsche Bibliothek - CIP-Einheitsaufhahme 



Advances in cryptology : proceedings / EUROCRYPT ’96, 
International Conference on the Theory and Application of 
Cryptographic Techniques, Konstanz, Germany, May 11 - 15, 1997. 
Walter Fumy (ed.). - Berlin ; Heidelberg ; New York ; Barcelona ; 
Budapest ; Hong Kong ; Lxrndon ; Milan ; Paris ; Santa Qara ; 
Singapore ; Tokyo : Springer, 1997 

(Lecture notes in computer science ; Vol. 1233) 

ISBN 3-540-62975-0 



CR Subject Classification (1991): E.3.4, G.2.1, D.4.6,F.2.1-2, C.2, J.l, K.6.5 
ISSN 0302-9743 

ISBN 3-540-62975-0 Springer- Verlag Berlin Heidelberg New York 



This work is subject to copyright. All rights are reserved, whether the whole or part of the material is 
concerned, specifically the rights of translation, reprinting, re-use of illustrations, recitation, broadcasting, 
reproduction on microfilms or in any other way» and storage in data banks. Duplication of this publication 
or parts thereof is permitted only under the provisions of the German Copyright Law of September 9, 1 965, 
in its current version, and permission for use must always be obtained from Springer -Verlag. Violations arc 
liable for prosecution under the German Copyright Law. 

© Springer- Verlag Berlin Heidelberg 1997 
Printed in Germany 

Typesetting: Camera-ready by author 

SPIN 1 0548767 06/3 1 42 - 5 4 3 2 1 0 Printed on acid-free paper 




Preface 



Eurocrypt '97, the 15th annual Eurocrypt conference on the theory and 
application of cryptographic techniques, was organized and sponsored by the 
International Association for Cryptologic Research (lACR). The lACR 
organizes two series of international conferences each year, the EUROCRYPT 
meeting in Europe and Crypto in the United States. 

The history of EUROCRYPT started 1 5 years ago in Germany with the Burg 
Feuerstein Workshop (see Springer LNCS 149 for the proceedings). It was due 
to Thomas Beth’s initiative and hard work that the 76 participants from 14 
countries gathered in Burg Feuerstein for the first open meeting in Europe 
devoted to modem cryptography. 1 am proud to have been one of the 
participants and still fondly remember my first encounters with some of the 
celebrities in cryptography. 

Since those early days the conference has been held in a different location in 
Europe each year (Udine, Paris, Linz, Linkoping, Amsterdam, Davos, 
Houthalen, Aarhus, Brighton, Balantonfured, Lofthus, Pemgia, Saint-Malo, 
Saragossa) and it has enjoyed a steady growth. Since the second conference 
(Udine, 1983) the lACR has been involved, since the Paris meeting in 1984, the 
name EUROCRYPT has been used. For its 15th anniversary, EUROCRYPT finally 
returned to Germany. 

The scientific program for EUROCRYPT '97 was put together by a 1 8-member 
program committee which considered 104 high-quality submissions. These 
proceedings contain the revised versions of the 34 papers that were accepted 
for presentation. In addition, there were two invited talks by Ernst Bovelander 
and by Gerhard Frey. 

A successful EUROCRYPT conference requires the combined efforts of many 
people. First, I would like to thank the members of the program committee, 
who devoted a tremendous amount of time and energy to reading the papers 
and making the difficult selection. They are: Michael Burmester, Hans 
Dobbertin, Marc Girault, Shafi Goldwasser, Alain P. Hiltgen, Don B. Johnson, 
Pil Joong Lee, Tsutomu Matsumoto, David Naccache, Kaisa Nyberg, Paul 
Van Oorschot, Torben P. Pedersen, Josef Pieprzyk, Bart Preneel, Rainer 
Rueppel, Claus Schnorr, and William Wolfowicz. 

In addition, I gratefully acknowledge the support to the program committee by 
the following experts: Albrecht Beutelspacher, Simon R. Blackburn, Carlo 
Blundo, Antoon Bosselaers, Odoardo Brugia, Marco Bucci, Anne Canteaut, 
Chris Chames, Ivan Damgdrd, Yvo Desmedt, Erik De Win, Markus Dichtl, 
Michele Elia, Piero Filipponi, Marc Fischlin, Roger Fischlin, Steven Galbraith, 




VI 



Oded Goldreich, Dieter Gollmann, Shai Halevi, Helena Handschuh, Erwin 
Hess, Stanislaw Jarecki, Joe Kilian, Lars R. Knudsen, Xuejia Lai, Fran9oise 
Levy-dit-Vehel, Keith M. Martin, Willi Meier, Alfred Menezes, Renato 
Menicocci, Daniele Micciancio, Freda Mihailescu, Thomas Mittelholzer, Sean 
Murphy, Pascal Paillier, Birgit Pfitzmann, Tal Rabin, David M'Raihi, Vincent 
Rijmen, Ron Rivest, Rei Safavi-Naini, Jacques Traore, and Peter Wild. I 
apologize to those whose names have inadvertently escaped this list. 

1 also thank Alfred Biillesbach, Roland Muller, Roland Nehl, and Susaime 
Rdhrig for taking the resposibility to organize Eurocrypt '97, and Christina 
Strobel for her help with the proceedings. 

Finally, I would like to thank the authors of all submissions (including those 
whose papers could not be accepted because of the large number of high- 
quality submissions received) for their hard work and cooperation. 



March 1997 



Walter Fumy 




EUROCRYPT '97 

May 11-15, 1997, Konstanz, Germany 

Sponsored by the 

International Association for Cryptologic Research (lACR) 



General Chairmen 

Roland Nehl, Deutsche Telekom, Germany 
Alfred Buellesbach, debis Systemhaus, Germany 



Program Chairman 

Walter Fumy , Siemens AG, Germany 



Program Committee 

Michael Burmester University of London, U.K, 

Hans Dobbertin BSI, Germany 

Marc Girault SEPT, France 

Shafi Goldwasser MIT, USA 

Alain P. Hiltgen Crypto AG, Switzerland 

Don B. Johnson Certicom, USA 

Pil Joong Lee Postech, Korea 

Tsutomu Matsumoto Yokohama National University, Japan 

David Naccache Gemplus, France 

Kaisa Nyberg Finnish Defence Forces, Finland 

Paul Van Oorschot Entrust Technologies, Canada 

Torben P, Pedersen Cryptomathic, Denmark 

Josef Pieprzyk University of Wollongong, Australia 

Bart Preneel K.U. Leuven, Belgium 

Rainer Rueppel R3 Security Engineering, Switzerland 

Claus Schnorr University of Frankfurt, Germany 

William Wolfowicz Fondazione Ugo Bordoni, Italy 




Contents 



Block Ciphers 

Two Attacks on Reduced IDEA 1 

Johan Borst, Lars R. Knudsen, and Vincent Rijmen 

Combinatorial Properties of Basic Encryption Operations 14 

Thilo Zieschang 

Public Key Systems 

A New Public-Key Cryptosystem 27 

David Naccache and Jacques Stern 

On the Importance of Checking Cryptographic Protocols for Faults 37 

Dan Boneh, Richard A. DeMillo, and Richard J. Upton 

Lattice Attacks on NTRU 52 

Don Coppersmith and Adi Shamir 

Protocols 

Kleptography: Using Cryptography Against Cryptography 62 

Adam Young and Moti Yung 

Fast and Secure Immunization Against Adaptive 

Man-in-the-Middle Impersonation 75 

Ronald Cramer and Ivan Damgdrd 

Anonymous Fingerprinting 88 

Birgit Pfitzmann and Michael Waidner 

A Secure and Optimally Efficient Multi- Authority Election Scheme 103 

Ronald Cramer, Rosario Gennaro, and Berry Schoenmakers 

Key Escrow 

Binding ElGamal: A Fraud-Detectable Alternative 

to Key-Escrow Proposals 119 

Eric R. Verheul and Henk C.A. van Tilborg 

The GCHQ Protocol and Its Problems 134 

Ross Anderson and Michael Roe 




X 



Hash-Functions 

Bucket Hashing with a Small Key Size 149 

Thomas Johansson 

A New Paradigm for Collision-Free Hashing: 

Incrementality at Reduced Cost 163 

Mihir Bellare and Daniele Micciancio 

Information Theory 

Smooth Entropy and Renyi Entropy 193 

Christian Cachin 

Information-Theoretically Secure Secret-Key Agreement by NOT 

Authenticated Public Discussion 209 

Ueli Maurer 

Stream Ciphers 

Linear Statistical Weakness of Alleged RC4 Keystream Generator 226 

Jovan Dj. Golic 

Ciyptanalysis of Alleged A5 Stream Cipher 239 

Jovan Dj. Golic 

Complexity Theory 

Lower Bounds for Discrete Logarithms and Related Problems 256 

Victor Shoup 

Stronger Security Proofs for RSA and Rabin Bits 267 

Roger Fischlin and Claus Schnorr 

Round-Optimal Zero-Knowledge Arguments 

Based on Any One-Way Function 280 

Mihir Bellare, Markus Jakobsson, and Moti Yung 

Efficient Cryptographic Protocols Based on Noisy Channels 306 

Claude Crepeau 

Rapid Demonstration of Linear Relations 

Connected by Boolean Operators 318 

Stefan Brands 

Oblivious Transfers and Privacy Amplification 334 

Gilles Brassard and Claude Crepeau 




XI 



Implementation 

SHA: A Design for Parallel Architectures? 348 

Antoon Bosselaers, Rene Govaerts, and Joos Vandewalle 

Fast Arithmetic Architectures for Public-Key Algorithms 

over Galois Fields GF((2T) 363 

Christof Paar and Pedro Soria-Rodriguez 

Finding Good Random Elliptic Curves 

for Cryptosystems Defined over F 2 " 379 

Reynald Lender 

Authentication 

Incremental Cryptography and Memory Checkers 393 

Marc Fischlin 

Almost k-wise Independent Sample Spaces 

and Their Cryptologic Applications 409 

Kaoru Kurosawa, Thomas Johansson, and Douglas Stinson 

Boolean Functions 

More Correlation-Immune and Resilient Functions over 

Galois Fields and Galois Rings 422 

Claude Carlet 

Design of SAC/PC(1) of Order k Boolean Functions 

and Three Other Cryptographic Criteria 434 

Kaoru Kurosawa and Takashi Satoh 

Signatures 

Distributed "Magic Ink" Signatures 450 

Markus Jakobsson and Moti Yung 

Efficient and Generalized Group Signatures 465 

Jan Camenisch 

Collision-Free Accumulators and Fail-Stop 

Signature Schemes Without Trees 480 

Niko Baric and Birgit Pfitzmann 

Selective Forgery of RSA Signatures Using Redundancy 495 

Marc Girault and Jean-Frangois Misarsky 



Author Index 



509 




Two Attacks on Reduced IDEA 
(Extended Abstract) 



Johan Borst*\ Lars R. Knudsen'-^, Vincent Rijmen^** 

^ T.U. Eindhoven, Discr. Math., P.O. Box 513, NL-5600 MB Eindhoven, 

borst@win.tue.nl 

^ K.U. Leuven, Dept. Elektrotechniek-ESAT, Kard. Mercierlaan 94, B-3001 Heverlee, 
{lars.knudsen,vincent.rijmen}@esat. kuleuven.ac.be 



Abstract. In 1991 Lai, Massey and Murphy introduced the IPES (Im- 
proved Proposed Encryption Steindard), later renamed IDEA (Interna- 
tional Data Encryption Algorithm). In this paper we give two new at- 
tacks on a reduced number of rounds of IDEA. A truncated differential 
attack on IDEA reduced to 3.5 rounds and a differential-linear attack on 
IDEA reduced to 3 rounds. The truncated differential attack contains a 
novel method for determining the secret key. 



1 Introduction 

The block cipher IDEA (International Data Encryption Algorithm) was pro- 
posed by X. Lai and J. Massey in [11] as a strengthened version of PES (for Pro- 
posed Encryption Standard) proposed by the same authors in [10]. The blocks 
are 64 bits and the keys are 128 bits. Both ciphers are based on the design 
concept of “mixing operations from different algebraic groups”. IDEA was de- 
veloped to increase the security against differential cryptanalysis. In [9] it was 
argued that for 3 rounds of IDEA there are no useful differentials and concluded 
that IDEA is resistant against a differential attack after 4 of its 8 rounds. 

IDEA is an iterated cipher consisting of 8 rounds followed by an output 
transformation. We count the output transformation as an extra half round. The 
complete first round and the output transformation are depicted in the compu- 
tational graph shown in Figure 1. The two multiplications and the two additions 
in the middle of the figure are called the MA-structure. The key schedule takes 
as input a 128 bit key and returns 52 subkeys, each of 16 bits. 

W. Meier cryptanalysed 2 rounds of IDEA in a differential-like attack using 
a partial distributive law [14]. J. Daemen found large classes of weak keys for 
IDEA [4] and also described an attack on 2.5 rounds of IDEA for all keys in [3]. 

Differential cryptanalysis was introduced by Biham and Shamir in [1]. In 
an attack on an iterated cipher one considers plaintext pairs P, P* of a certain 
difference and the corresponding ciphertexts C and C* . The main tool in the 

* The work of the first author was done while visiting K.U. Leuven. 

** F.W.O. research assistent, sponsored by Funds for Scientific Research-Flanders 
(Belgium) 



W. Fumy (Ed.): Advances in Cryptology - EUROCRYPT ’97, LNCS 1233, pp. 1-13, 1997. 
© Springer-Verlag Berlin Heidelberg 1997 




2 



Xo X, X2 X3 




I 7 more rounds 




output 

transformation 



X; : 16-bit plaintext subblock 
V’l : 16-bit ciphertext subblock 
Z*' ’ : 16-bit key subblock 

0 : bit-by-bit exclusive-OR of 16-bit subblocks 
ffl ; addition modulo 2^'’ of 16-bit integers 
O : multiplication modulo 2^® -f 1 of 16-bit integers 
with the zero subblock corresponding to 2^® 



Fig. 1. Computational graph for the encryption process of the IDEA cipher. 



differential attack is the characteristic, a list of the expected differences in the ci- 
phertexts after each round of the cipher. Lai and Mcissey introduced the notions 
of differentials in [11, 9]. Later in [6] Knudsen extended the notions of differen- 
tials to that of truncated differentials, where only subsets of the differences are 
predicted. A right pair is a pair of plaintexts, for which the ciphertext differ- 
ences follow the differential. In a differential attack an attacker needs to get at 
least one right pair. However, an attacker might not be able to determine which 
pairs are right pairs from the differences in the ciphertexts, but if the charac- 
teristic or differential predicts also the differences in (parts of) the ciphertexts. 




3 



often an attacker can discard pairs, which are not right pairs. A wrong pair is a 
pair of plaintexts, for which the differences in the ciphertexts do not follow the 
differential, but which looks like a right pair to the attacker. 

In the linear attack [12] by Matsui one considers linear combinations of some 
bits of the plaintext, the ciphertext and the key, and defines linear characteristics. 
Nyberg introduced the linear hull [15], the analogue to differentials in differential 
attacks. In [5] Heilman and Langford combined the differential and the linear 
attack to the differential-linear attack, and applied it to 8 rounds of the DES. 

In this paper we give two new attacks on IDEA. In Section 2 the differential 
attack using truncated differentials is described, which can be used to break 3.5 
rounds of IDEA. In Section 3 the differential-linear attack is described, which 
can be used to break 3 rounds of IDEA and Section 4 gives concluding remarks. 
Full versions of the attacks in this paper are described in [2, 8]. 



2 Truncated Differential Attack 



In this section we describe a differential attack on 3.5 rounds of IDEA using 
truncated differentials. We define the difference of two bit strings A and A* of 
the same length as 

= ( 1 ) 

For differential cryptanalysis of IDEA with other definitions of difference, we 
refer to [11, 14). Under the definition of difference (1) IDEA is not a Markov 
cipher [11]. Also, as we will see, the probabilities of the differentials used depend 
very much on the key used in the encryptions. Thus, the hypothesis of stochastic 
equivalence [11], i.e., that the average probability of a differential taken over all 
keys is approximately the same as the probability for a fixed key for virtually 
all keys, does not hold for IDEA with difference (1). 

Consider the following one-round differential for IDEA. 

(«, 5, c, d) ^ (e, /, g, h) (e (I) 0 f 0 h (I) k) 

{a, b, c, d) denotes the four-word input difference and (e, /, g, h) denotes the differ- 
ence after the key addition. This transition has probability pi. With probability 
P 2 the input difference (e©.</, /©/i) to the MA-structure leads to an output differ- 
ence {k, 1). The output difference of the round is given as (e(hZ, /©fc, h©fc). 

The 3-round truncated differential used in our attack on IDEA is: 



(A, 0,5,0) (C,0,C,0) 

(C,C,0,0) 4 (D,E,0,0) 

(0,D,0,£) "T (0,F,0,E) 
(0,0, F,F) -4 (0,G,0,if) 



(0,0)-h(0,0)^ 

{D,Ef~4\E,D)^ 

(Q.O)A(O.O)^ 



(C',c,0,0) 

(0, D, 0, E) 
(0,0, F,F) 




4 



where the words A to H represent any values. The average probability of the 
truncated differential is 2“®^. This probability is computed over all choices of 
the inputs to a round and to the MA-structure and over all choices of the round 
keys and where we have also assumed that the MA-structure acts like a random 
function. 

This differential has a mirror image with the same probability; 

(0, A, 0, B) (0, C, 0, C) (0, 0, C, C) 

2-32 

(0,0, C,C) (0,0,£>,E) {D,0,E,0) 

(f^,0,T,0)'C (F,0,F,0) (F,F,0,0) 

(F,F,0,0) 4 (G,0,H,0) 

These differentials are called truncated differentials, since we predict only 
two of the four words, the zeros, of the differences after each round. 

We consider the attack also for reduced versions of IDEA, that operate on 
four nibbles, IDEA(16) and on four bytes IDEA(32), respectively, instead of four 
16-bit words [9]. These reductions allow us to actually implement the attack and 
experimentally verify our results. The above differentials are defined similarly 
for the reduced versions. The average probabilities are 2“^® respectively 

2.1 Description of the attack 

First the attack on IDEA (full block length) is described. A structure of plain- 
texts consists of 2^^ texts; pi and pz are fixed, po and pz take on all possible 
values. We can use every combination of two texts as a pair. This means we 
generate 2^^ ■ (2^^ — l)/2 « 2®^ pairs from a structure. For every structure the 
expected number of right pairs is 0.5. The differential requires that Ac^ and Ac-z 
are equal to zero, and only such pairs are considered. On the average only one 
out of 2^'^ pairs will survive this test. For each surviving pair do the following; 
for all possible keys check whether 

(po O 4 '^) ® iPo ® 4'*) = (P 2 S 4 '*) ® iP 2 S 4 '^) • (2) 

On the average, this holds for 2^® values of {Z^\z^p). Similarly we check for 
which keys in the output transformation, it holds that 

(Cl © (Z|"V’) ® (4 © (21'*)“') = (c;i Bz^"*) © (c;BZ^^*) . (3) 

Note that for a right pair these tests arc successful for the correct value of the 
key. In total it can be expected that each pair suggests 2®^ 64-bit key values and 
therefore every structure will suggest 2®'^ keys. Therefore every value of the key 
will be suggested 0.5 times per used structure and, as indicated above, every 
structure will suggest the correct value of the key 0.5 times. One might expect 
that among all the key values suggested by wrong pairs is also the correct value of 
the key. However, a wrong pair in the above attack will not suggest the correct 




5 



value of the key. For a non-discarded pair of plaintexts and their ciphertexts 
a key will be suggested if the tests (2) and (3) succeed. For the correct value 
of the key this means that the input difference to the second round will be 
(C,(7,0, 0). The output difference of the third round will be (0,0, F,F), and 
the input difference of the third round will be (0,D,0,E). Thus, the difference 
in the second round after the key addition will be (D‘ , E' ,0,0) and the output 
difference of the round is (0, D,0, E). But this implies that D' = D and E' = E, 
because of the structure of the round function of IDEA. It follows that if the 
correct value of the key is suggested for a pair of plaintexts, this must be a right 
pair. Summing up, for every structure in the attack there will be 0.5 right pairs, 
which suggest the correct value of the key, and 2'^' wrong pairs, which on the 
average suggest a wrong value of the key 0.5 times. Thus, for the above attack 
the traditional method of Riharn-Shamir [1] will not work, the 5/7V-ratio is 1, 
meaning that the correc.t value of the key cannot be distinguished from any other 
value of the key. 

However, as we will see, the probability of the above differentials used in the 
attack depends very much on the secret key. For some keys the probability is less 
than the average probability and for other keys it is larger. We extend the key 
search method of a differential attack to the cases where the probability of the 
differential for the correct value of the secret key is different from the average 
probability over all keys. The bigger this difference the faster the attack. If the 
difference is big enough and if we assume that wrong values of the secret key is 
suggested randomly and uniformly by the attack, the correct value of the key 
will be found using sufficiently many plaintext pairs. This is a novel approach in 
differential attacks and reminiscent of the key searc:h method in a linear attack 
[ 12 ]. 

For the actual attack, there is an overlap between the key bits we count on in 
the first round and the bits we count on in the last round. Furthermore, because 
of the absence of a carry bit after the highest order bit of the modular addition, 
we are unable to distinguish keys that differ only in these bits, so we will regard 
these two values of the key as one. These two observations are very important 
to reduce the memory requirements when we implement the attack. Using the 
first differential above 14 key bits overlap and two bits arc indistinguishable for 
IDEA, which means that we would search for only 48 bit key values. For the 
reduced versions of IDEA we implemented key schedules, such that relatively 
as many key bits overlap. For IDEA(32) and IDEA(16) seven and three bits 
overlap, respectively. This means that in these cases we search for only 23 bit 
and 11 bit key values. To find other key bits a similar attack with the second 
differential above can be executed. 



2.2 Experimental verification 

We implemented the attack using the first differential on IDEA(16). First we 
calculated the probability of the differential for all keys by exhaustive search. 
Table 1 shows these probabilities for different classes of keys. The average prob- 
ability over all keys was estimated to 2“'*’ ''’. The key-dependency of the proba- 




6 



#Keys/All keys 


Probability 


13% 


0 


12% 


0<p<2"^® 


21% 


2-‘» <p<2-'" 


30% 


2“^"' < p < 2“^® 


14% 


2-« <p<2-'5 


10% 


2 ^^'" <p < 1 



Table 1. Probability of the used differential for IDEA(16) with 3.5 rounds for classes 
of the secret key. 



#Keys/All keys 


# Structures 


# Chosen plaintexts 


25% 


16 




40% 


32 


213 


51% 


64 


214 


59% 


128 


215 


67% 


256 


216 



Table 2. Average number of chosen plaintexts needed in the attack on IDEA(16) with 
3.5 rounds in TOGO a,ttacks. 



bilities stems mostly from the second round of the differential, where a difference 
{D, E) in the inputs to the MA-structure must result in difference [E, D) in the 
outputs of the MA-structure. Of most interest are the classes of keys that devi- 
ate most from the average probability. It is interesting to see that for about 1 in 
every 8 possible values of the secret key the probability of the used differential 
is zercr. The numbers in Table 1 also indicate that the attack will not work for 
some classes of keys, namely the classes of keys for which the probabilities arc 
too close to the average probability over all choices of the keys. 

Ill Table 2 we list the results of 1000 implementations of our attack on 
IDEA(16) for increasing number of chosen plaintexts. We used key rankings 
as in [13] and tested whether the correct value of the key was among the eight 
least and eight most suggested values, thus the attack returns 16 suggestions for 
11 bits of the secret key. As seen, using all plaintexts the correct value of the 
key is among those 16 values in about 67% of all cases. Note that there are a 
total of 2^® plaintexts of IDEA(IG) and that an exhaustive search for the key 
will take the time of about 2'^'* encryptions. 

Next we implemented attacks on IDEA(32). First we estimated the proba- 
bilities of the used differentials for different classes of keys. The result follows 
from Table 3. Based on the results of 160 experiments with random keys, we es- 
timated the average probability over all keys to Note that this is slightly 

less than first estimation made in the beginning of this section. This difference 




7 



#Keys/AlI keys 


Probability 


14% 


0 < p < 2“®® 


10% 


2“®® < p < 2^®® “ 


31% 


2 <p< 2 ®® 


45% 


< p 



Table 3. Probability of the used differential for IDEA(32) for classes of the secret key. 



#Keys/All keys 


# Structures 


^ Chosen plaintexts 


1% 


16 




7% 


64 


2'22 


15% 


128 


223 


31% 


256 


224 


54% 


512 


225 


65% 


1024 


226 


83% 


2048 


227 



Table 4. Average number of chosen plaintexts needed in the attack on IDEA(32) with 
3.5 rounds in 100 attacks. 



is caused by the fact that the MA-stnicture is not a random mapping. We im- 
plemented the attack for 100 different randomly chosen keys using up to 2048 
structures. The results are given in Table 4. Using the above results on reduced 
versions of IDEA, we estimate the number of chosen plaintexts needed in our 
attack on IDEA. From Table 2 it follows that one finds 25% and 51% of the keys 
using respectively 2^”^'® chosen plaintexts for n = 16 for IDEA(16). From 
Table 4 it follows that one finds 1% and more than 83% of the keys using 2''’"/® 
respectively 2^”^® chosen plaintexts for n = 32 for IDEA (32). As can be seen the 
number of keys we can recover increases for larger block sizes with relatively the 
same amount of data. We predict that a similar increase will occur for the attack 
on IDEA. Next we consider the workload and the amount of memory needed. 
One needs enough memory to store one structure. Once one structure has been 
analysed it is thrown away and a new structure analysed. Thus, the memory 
requirement for the attack on IDEA is 2®^ words of each 64 bits. The w'orkload 
is the estimated number of operations needed to perform the attack, measured 
as the number of encryptions of the cipher. The 2®'® ciphertexts in a structure 
are hashed on the values of Cq and C 2 , since for a right pair the pairs of these 
values are equal. The workload of the hashing and storing of the ciphertexts is 
small compared to the time of the rest of the attack. For each pair that survives 
the filtering process we try all possible 2^® values of the affected keys of each 
side of Eq. (2). These tests can be sped up by pre-calculating a table to avoid 
the expensive multiplication operation. This table would be of size 2®^ 16-bit 




8 



#Keys/All keys 


# Structures 


# Chosen plaintexts 


Workload 


>1% 


2® 






>31% 


216 


248 


259 


>83% 


224 


256 


267 



Table 5. Estimated number of chosen plaintexts needed in the attack on IDEA with 
3.5 rounds with 2 ^^ words of memory. 



words. We estimate that a multiplication takes the equivalent of 3.5 additions, 
and that an addition, an exclusive-or and a table-lookup take about the same 
time. The workload is about 2^^ encryptions of IDEA with 3.5 rounds for every 
analysed pair. Totally, the. workload is about 2^^^ encryptions for every structure. 
Because of the overlap of key bits in this first round test with the key bits in the 
output transformation, the second part of the key search, i.e. using Equation (3), 
is much faster than the first and can be ignored in the workload estimation. 

The estimated number of chosen plaintexts and the workload for our attack 
on IDEA is given in Table 5. Note that an exhaustive search for the key of IDEA 
takes the time of about 2^^® encryptions of IDEA. Finally we discuss how to find 
additional key bits. The attack outlined above finds 48 bits of the 128 bit key of 
IDEA. However, once these key bits have been found, one can do a similar attack 
using the second truncated differential. As noted earlier the key-dependency of 
the probability of the first differential comes mostly from the second round of 
the differentials. Since the second round is the same for the two differentials, one 
can expect that for a fixed key the probabilities of the two differentials are very 
close. After doing the attack with the second differential one has all 64 key bits in 
the beginning of the first round and all 64 key bits of the output transformation. 
Subsequently, one can do similar attacks on a further reduced version of IDEA. 



3 A Differential-linear Attack 



In this section we give a differential-linear attack on IDEA reduced to 3 rounds. 
We will use the notation P = ipo,Pi,P 2 ,P 3 ), C — (cq, ci, C2, C3) to describe 
plaintexts, ciphertexts and their 16-bit subblocks. The version we look at is 3 
rounds without the output transformation and where we omit the swapping of 
the second and third ciphertext blocks. We will write A[i] to indicate the bit 
of A, where A[0] is the least significant bit (LSB) of A and A[15] denotes the most 
significant bit (MSB) for a 16-bit word A. These indices will be omitted whenever 
the context makes it clear which bit(s) we are considering. With A[i , ... ,j] we 
will indicate the row of bits A[i]...A[j\. Also, we define some special 16-bit 
symbols pi for ?. = 0, . . . , 15, where pi[i] = 1 and pi[j] = 0 for j ^ 




10 



3.1 Choosing plaintexts 

Consider the two rounds of IDEA in Figure 2. The inserted boxes give the ex- 
pected values of the differentials used in our attack. 

We guess the value of We encrypt a set of plaintexts (po,Pi,P 2 ,P 3 )j 

where po and p -2 arc fixed. With Api = pi one gets Aj = pi with probability 
0.5 (see c.g. [IG, 7]), and similarly with probability 0.5 one gets the difference pi 
in outputs of the second addition in the second round, as indicated in Figure 2, 
thus this part of the differential has probability 1/4. A closer analysis shows that 
one can pick six plaintext pairs such that this part of the differential holds at 
least once. Details are given in the full paper [2]. The values of p-^ are chosen 
such that for the pairs we are going to analyse 

Qpl) ft) ( 4 ') 0P3) = (pl ffl © (pi s = A, , 

This ensures that the input difference of the MA-structurc in the first round is 
zero. For one of the six pairs the difference after the key addition of the second 
round will be 

(0,0,/t.,,a). (4) 



3.2 Sets of linear relations 

We concentrate on the first multiplication in the MA-structure of the second 
round and denote the input with p^‘^^ and the output with . Then 

= (Zf ^ 0p|2>) ft) (4'^^ 0 © p ,)) . 

We observed that for every choice of z[^^ there are several possible values for pi 
such that 

= 0 ( 5 ) 

with a probability p, such that the bias |p— 1/2| > 0.166 over all p^^\ Furthermore 
we observed that for all but 26 of the 2^"^ possible values of there is at least 
one Pi for which the bias is larger then 1/4. 

We are going to use this in a linear attack. Instead of having one relation 
that holds with an average probability for each key, we are going to use a set of 
relations. For each key at least one of the relations has a large bias. This idea is 
central to our attack. 

3.3 Propagation 

From now on, we only consider the least significant bits of the various 16-bit 
intermediate results. For these bits the modular addition reduces to an exclusive- 
or. Denote by and the outputs of the second multiplication in the MA- 
structure of the second and third round, respectively. Using (4) we get for the 
difference after the second round 

{AtS^\,Pi © AiP\Ar'''^^ © © At^'^'>). 




11 



Because the ciphertext (cq, ci , C 2 , C 3 ) equals the output of the third round, we 
can calculate 

= Ac2 © © At^'-^^ 

Ar^''^'> = At''^^ © Zlci © fM © Af^^ = Aci © Zic 2 © ih © Ar^'^^ , 

where is defined in a similar way as r^‘A other words, we are able to predict 
the least significant bit of the output difference of the first multiplication of the 
MA-structure of the last round. The inputs of this multiplication are the subkey 
and an intermediate result that equals Cq © C 2 . For every ciphertext pair 
we can calculate cq © 02 and predict with a high probability. We keep a 

counter for every possible value of and increment the counters of the key 
values that are compatible with the calculated Q) © cy and . 

Note that we don’t know for which Hi (5) holds with large probability. There- 
fore we have to repeat the attack for different values of pt. Also we guessed the 
value of Z^^\ Our experiments suggest that for wrong guesses of Z^^^ the al- 
gorithm fails to suggest a specific value for Z^'^K Thus we can recognize wrong 
guesses. With this algorithm it is impossible to distinguish between the correct 
subkey values and their additive inverses modulo 2 ^® + 1 . 

When is guessed correctly, tests have shown that we need at most 9000 < 
2 ‘'* pairs to determine z!i^\ On the average we guess correctly after 2^'^ trials, 
therefore we need about 2'^^ plaintext pairs. Examining one plaintext pair takes 
a few exdusive-or operations and 2 ^® table look-ups, one for each value of 
Since we examine 16 differentials, our attack needs totally about 2^® simple 
operations, i.e., addition or exclusive-or, for each pair and the total workload is 
therefore about 2“® simple operations. Using the estimate of Section 2 that an 
exclusive-or takes the same time as an addition and a multiplication takes 3.5 
times as much time as either of them, the workload is about equal to 0.75 • 2^^ 
encryptions with 3 rounds of IDEA. 

3.4 Finding additional key bits 

In this paragraph we will describe how to find the subkeys Zg^^ and (or 
their additive inverses modulo 2'® + 1). For this a method will be used similar 
to the main one described in [3]. First we will give a definition of compatibility. 

Definition 1. A word A is said to be compatible with B modulo N if there 
exists a pair of words (7,(7* with (7 © (7* = A and C - C* (mod N) = B. 

It is easy to see that a word A is compatible to at most 2^ words modulo N, 
where k is the Hamming weight of A. The probability that a randomly chosen 
word with Hamming weight k and another one arc compatible modulo 2^® is 
therefore smaller or equal to 2 *’“'®. 

For this part of the attack we will consider only the plaintext pairs that 
we already constructed with the correct guess for Z.j’^ (or its additive inverse 
modulo 2^® + 1 ) that yield pi 5 after the key addition of the second round. The 




12 



difference after the second round is (/3, 7, 7©a), see Figure 2. Like a, 7 and 

6 the difference (j is unknown. However, since is known (or 2^® + 1 — 

/ Q 1 / 0\ 

when also and Z(, ' would be known, we would be able to calculate (3 
for each pair and the intermediate values f/3^^) before the MA- 

structure of the last round. Then /? © /xis must be compatible modulo 2^® with 
S B (7^^* B ’ B To find 4'^ and we simply 

guess their values and for each guess check this compatibility requirement. It 
can be shown [3] that the expected number of pairs needed to eliminate a wrong 
guess for a pair is approximately equal to 1 divided by the probability 

that a random 16-bit word is compatible modulo 2^® to another one. Tests have 
shown that this number is between 1 and 5. 

As in the previous section this search method doesn’t make a distinction 
between and their additive inverses modulo 2^® + 1. It takes two mul- 
tiplications with and Z|^^ to find and Aq^^\ but as Zj^^ is fixed, 

multiplications with this key are many times the .same. Then it takes one mul- 
tiplication with to find /L So finding and Zg‘^^ takes at mo.st 2®^ 

multiplications modulo 2^® + 1. According to the estimates earlier made this is 
about equal to 1.5 • 2^® encryptions with 3 rounds of IDEA. 

Finally, one can find the remaining key bits by doing additional attacks using 
similar characteristics as the above. The attack will have a better performance, 
since many key bits are already known. 

4 Conclusions 

We have presented two attacks on IDEA with a reduced number of rounds. The 
first attack finds the secret key of 3.5 rounds of IDEA in more than 86% of 
all cases using an estimated number of 2®® chosen plaintexts and a workload of 
about 2®^ encryptions of 3.5 rounds of IDEA. With 2'*® chosen plaintexts the 
attack works for 1% of all keys. The second attack finds the secret key of 3 
rounds of IDEA. It needs at most 2^® chosen pairs of plaintext and a workload 
of about 2^^ encryptions with 3 rounds of IDEA. 

Although our attacks make use of some sophisticated techniques, the efficien- 
cies, in particular the workloads, of the algorithms probably can be improved 
greatly. Further we think that similar attacks can be successful against more 
rounds of IDEA, but it is questionable if in this way anything substantial can 
be achieved against the full 8.5-rounds version of IDEA. 

References 

1 , E. Bihain and A. Shamir. Differential Cryptanalyms of the Data Encryption Stan- 
dard. Springer Verlag, 1993. 

2. J, Burst. Differential- Linear Cryptanalysis of IDEA. Technical Report ESAT- 
COSIC Report 96-2, Department of Electrical Engineering, Katholieke Universiteit 
Leuven, Febr. 1997. 




13 



3. J. Daemen, R. Govaerts, and J. Vandewalle. Cryptanalysis of 2,5 rounds of IDEA. 
Technical Report ESAT-COSIC Report 94-1, Department of Electrical Engineer- 
ing, Katholieke Universiteit Leuven, March 1994. 

4. .1. Daeriien, R. Govaerts, and .1. Vandewalle. Weak keys for IDEA. In T. Helleseth, 
editor. Advances in Cryptology - Proc. Eurocrypt’93, LNCS 773, pages 224-231. 
Springer Verlag, 1994. 

5. M.E. Heilman and S. K. Langford. Differential linear cryptanalysis. In Y. G. 
Desmedt, editor. Advances in Cryptology - Proc. Crypto’94, LNCS 839, pages 26- 
39. Springer Verlag, 1994. 

6. L.R. Knudsen. Truncated and higher order differentials. In B. Preneel, editor, Fast 
Software Encryption - Second International Workshop, Leuven, Belgium, LNCS 
1008, pages 196-211. Springer Verlag, 1995. 

7. L.R. Knudsen and W. Meier. Improved differential attack on RC5. In Neal 
Koblitz, editor, Advances in Cryptology - Proc. Crypto’96, LNCS 1109, pages 216 
228. Springer Verlag, 1996. 

8. L.R. Knudsen and V. Rijmen. T'runcatcd Differentials of IDEA. Technical Re- 
port ESAT-COSIC Report 97-1, Department of Electrical Engineering, Katholieke 
Universiteit Leuven, Febr. 1997. 

9. X. Lai. On the Design and Security of Block Ciphers. PhD thesis, ETH, Zurich, 
Switzerland, 1992. 

10. X. Lai and J.L. Ma.ssey. A proposal for a new block encryption standard. In LB. 
Damgard, editor. Advances in Cryptology - Proc. Eurocrypt’90, LNCS 473, pages 
389 404. Springer Verlag, 1991. 

11. X. Lai, .I.L. Massey, and S. Murphy. Markov ciphers and differential cryptanalysis. 
In D.W. Davies, editor, Advances in Cryptology - Proc. Eurocrypt’91 , LNCS 547, 
pages 17-38. Springer Verlag, 1992. 

12. M. Matsui. Linear cryptanaly.sis method for DES cipher. In T. Helleseth, editor, 
Advances in Cryptology - Proc. Eurocri/pt’93, LNCS 765, pages 386-397. Springer 
Verlag, 1993. 

13. M. Matsui. The first experimental cryptanalysis of the Data Encryption Standard. 
In Y. G. Desmedt, editor, Advances in Cryptology - Proc. Crypto’94, LNCS 839, 
pages 1-11. Springer Verlag, 1994. 

14. W. Meier. On the security of the IDEA block cipher. In T. Helleseth, editor. 
Advances in Cryptology - Eurocrypt’93, LNCS 765, pages 371-385. Springer Verlag, 
1993. 

15. K. Nyberg. Lineai- approximations of block ciphers. In A. De Santis, editor, Ad- 
vances in Cryptology - Proc. Eurocrypl’94, LNCS 950, pages 439-444. Springer 
Verlag, 1994. 

16. R.A. Rueppel. Analysis and Design of Stream Ciphers. Springer Verlag, 1986. 




Combinatorial Properties of Basic Encryption Operations 

Extended Abstract 



Thilo Zieschang 
ARCOR 

Kolner Strasse 12, 65760 Eschborn, Germany 
email; zieschang@acm.org 



Abstract. The basic ingredients of modem fast software block encryption 
schemes are computer instmctions like SHIFT, ADD, XOR etc. We 
analyze the algebraic slmcture of different combinations of those 
cryptographic primitives from a purely combinatorial point of view. 
Different subsets of such operations will yield an interesting variety of 
different permutation groups, e.g. semidirect products, affine linear 
groups, WTeath products, and symmetric groups. As we will show, a 
simple pair of a SHIFT and an ADD operation is already powerful 
enough to generate every possible encryption function on its set of input 
blocks. On the other hand, any possible combination of SHIFT and XOR 
operations can only produce a subset of at most n2" functions within the 
symmetric group of order n!. The present results are useful in theory at 
first. Their cryptographic applications can be found in providing practical 
tools for the analysis of the algebraic structure of new block encrt^tion 
schemes and evaluation of their subroutines. 



1 Introduction 

One of the main goals in secret key cryptography is the development of design criteria 
for good block ciphers. Several necessary conditions are known which have to be 
fulfilled by every secure cipher. To support fast software encryption, many of the 
recently developed block ciphers are compositions exclusively of efficient, basic 
computer instructions like SHIFT, XOR, and ADD, for example. Further, arithmetic 
operations like exponentiation or multiplication in Fermat prime moduli have been used. 
Examples of such encryption schemes are IDEA, SAFER, RC5 and others. A lot of trial 
and error is involved in the development of new block ciphers. Different subsets and 
combinations of the above basic operations result in completely different levels of 
security. Besides such properties as confusion, diffusion, avalanche, nonlinearity, 
resistance against several known cryptanalytic attacks, etc., it is an important criterion 
that a given encryption algorithm realizes a large variety of different permutations 
among its binary input vectors. The importance of those combinatorial properties on the 
security of block ciphers had been pointed out by several authors. Nevertheless, few 
systematic work has been done in this area so far. Thus, it is important to analyze the 
combinatorial structure of those basic cryptographic functions which are the underlying 
components of most encryption schemes. We will study different combinations of basic 
operations with respect to the above security measure. By analyzing their group 
generating properties we answer the question how many different encryption functions 
can be realized by given subsets of those operations, and which is their corresponding 
cycle structure. Another important question in terms of resistance against cryptanalytic 



W. Fumy (Ed.): Advances in Cryptology - EUROCRYPT ’97, LNCS 1233, pp. 14-26, 1997. 
© Springer-Verlag Berlin Heidelberg 1997 




15 



attacks is whether the generated permutation group is a primitive or an imprimitive 
group. Suppose we have a pair (P,C) of plaintext and ciphertext, C = Ek(P), and assume 
that the encryption algorithm E generates an imprimitive group G. Let Aj and Aj be 
blocks for G with P e A; and C e A^. Then, according to the definition of imprimitivity, 
eveiy other plaintext P’ which is also contained in A; will automatically be mapped into 
Aj. Since this can considerably reduce the search amount, this property would severely 
undermine the security of an encryption scheme. Thus it is necessary to verify whether a 
given block cipher generates an imprimitive or a primitive group. 

It is the intention of this present work to provide useful results and proofs that can be 
employed in the analysis of combinatorial properties of block ciphers. Note that 
combinatorial results like those below are designed to simplify the determination of the 
specific group generated by a given algorithm. In practice, however, we have to make 
use of additional randomness assumptions to consider the data-dependence of our 
encryption algorithm appropriately. 

As one can see, a rich algebraic structure is involved when combining different sets of 
computer instructions. Among others, the following groups of permutations do occur: 
symmetric groups of different degree, semilinear products, wreath products, and affine 
general linear groups. 



2 Basic Operations 

First, we have to identify a set of simple instructions that are bijective functions on the 
set of n-bit binary vectors. Subsequently, we will refer to such functions as basic 
operations. Consider the addition of two variables, for example. If we add always some 
fixed value c, we get a function ADD_c, which operates on single input variables. All 
basic operations can be regarded as permutations, which allows us in the present context 
to speak about their cycle structure, element order, and so on. Since we study CPU 
registers, their length n to be used below will often be a power of two. 

It is an interesting question whether it is feasible to realize every possible permutation 
as a product of simple basic operations? As we will see - the answer is yes. This is even 
possible if we restrict ourselves to products consisting of only two different, fixed basic 
operations. 



2.1 Elementary Properties of Individual Basic Operations 

In this section we will introduce some of the individual basic operations which have to 
be studied in more detail. 

XOR_c This function operating on binary vectors of length n works as follows. 
The input value is XOR’ed with some arbitrary, but constant value c. If c is not equal to 
the all-zero string, then we get an involution. One of the transpositions, say (a,b), in the 
cycle decomposition of XOR_c can be constructed as desired, by choosing an 
appropriate c value. We can simply take c = (a XOR b), so that a maps on b. By choice 
of 2" - 1 different fixed values c, this yields 2" - 1 different fixed point-free involutions. 




16 



Note that XOR_c is always an even permutation, since the number of transpositions in 
its cycle decomposition is equal to 2"''. 

Example: let n = 4 and suppose that c = [1010]. We identify the set of 4-bit strings with 
the corresponding decimal numbers 0, 1, 15. This yields the following permutation: 
XOR_c = (0, 10)(1, 1 1)(2, 8)(3, 9)(4, 14)(5, 15)(6, 12)(7, 13). 

SHIFT_k We will understand this function as a logical shift (rotation) to the right 
by k positions. The order of this permutation is equal to n/gcd(k,n). Further, the 
permutation is not fixed p»oint-ffee and contains cycles of different lengths dividing n. 
Shifting by a different number of positions gives n-1 nontrivial permutations of this 
type. We can determine the fixed points of SHIFT k explicitly. Let the variable X 
represent an arbitrary bit string of some fixed length. If X = 101, for example, then 
XXXX stands for a string of the form 101101101101. The function SHIFT_k has 
exactly fixed points of form XX..X, where X is an arbitrary string of length 

gcd(k,n). 

It is easy to determine the cycle structure of a SHIFT_k permutation. Since SHIFT_k = 
(SHIFT_1)'‘ , it is sufficient to examine SHIFT_1. Let [a,,aj,...,a„] = [X,,X 2 ,...,Xb] be a 
partition of the input vector into b subblocks of equal length m, bm = n, such that those 
subblocks do not allow further subdivision of the form Xj = YY, where Y is a subblock 
of length m/2. Then, in the cycle decomposition of SH1FT_1, the element [a„ aj, ..., a„] 
is contained in a cycle of length m. This implies the following numbers of cycles. The 
number of elements contained in n-cycles corresponds with the number of n-bit vectors 
[X„ Xj] with X, ^ Xj. This is equal to 2"- 2"^ = (2"'^-l)2'^. Hence, SHIFT_1 possesses 
(2"^ - l)2"^/n cycles of length n. In general, the number of elements contained in n/m- 
cycles, m | n and m < n, corresponds with the number of n-bit vectors [(XiX^)"'] with X, 
Xj. Hence, SHIFT_1 contains (2"^“- 2"^"’)m/n cycles of length n/m. As we can see 
from the above, for every given b, the number of cycles of length b is a multiple of two, 
which shows that SHIFT_1, and hence SHIFT_k = (SHIFT_1)‘‘, is always an even 
permutation. 

Example: let n = 4. Again, we identify the set of 4-bit strings with the corresponding 
decimal numbers 0, 1, ..., 15. For k = 1, for example, we get the permutation SHIFT_1 s 
(0)(1, 2, 4, 8)(3, 6, 12, 9)(5, 10)(7, 14, 13, 1 1)(15). 

ADD_c This function represents addition modulo 2" of the constant value c, 
ignoring overflow. ADD_1, for example, results in the 2"-cycle (0, 1, 2, .., 2"-l). 
ADD c, 0 < c < 2", is always a fixed point-free, regular permutation, which means that 
it consists of k cycles of length m, m 3^ 1 , such that km = n. The cycle length m is equal 
to ra = 2"/gcd(c,2"). This shows that ADD_c is not always an even permutation. ADD_c 
is an odd permutation if and only if the resulting cycle decomposition yields a 2”-cycle, 
which is the case for those c with gcd(c,2") = 1 . Hence, ADD_c is even if and only if c is 
even. 

Example: let n = 4 and suppose that c = 5. This yields the permutation ADD_5 = (0, 5, 
10, 15, 4, 9, 14, 3, 8, 13, 2, 7, 12, 1, 6, 1 1). 

MUL_c This operation means multiplication modulo 2" (ignoring overflow) by 
some constant c, where c is odd and 0 < c < 2”. MUL_c is a bijective mapping, if and 




17 



only if, gcd(c , 2”) = 1 , which yields the above condition on possible values for c. Zero 
and 2" ' are always fixed points; odd numbers are always mapped on odd, and even 
numbers are mapped on even numbers. 

Example: let n = 4 and c = 5, then we get the function MUL_5 with the following cycle 
structure: MUL_5 s(0)(l, 5, 9, 13)(2, 10)(3, 15, 11, 7)(4)(6, 14)(8)(12). 

The length of every cycle in the permutation MUL_c divides 2”'^, since (Z/2”Z)* s 
(Z/2Z) X (Z/2"'^Z). MUL_c produces odd permutations as well as even permutations, 
depending on c; more exactly, the following holds. 

Lemma: MUL_c is an even permutation even if and only if c = 1 mod 4. 

Proof: Every element a e (Z/2"Z)’ has one of two possible forms: either a = 4m - 1 or a 
= 4m’ + 1 , with m, m’ e N. In both cases, the square a^ of a has the same form, a^ = 4k + 
1, where k = (4m - 2)m or k = (4m’ + 2)m’, respectively. Hence, if b g (Z/2“Z)’ is a 
quadratic residue, then it follows that b = 1 mod 4. Since (Z/2"Z)‘ has exactly 2”'^ 
quadratic residues, as well as it has exactly 2"'^ elements b with b = 1 mod 4, and since 
further every quadratic residue necessarily yields an even permutation, this already 
proves the assertion. 

MULT_c For values c such that gcd(c, 2"+l) = 1, MULT_c can be understood as 
the (bijective) function which multiplies the input variable by the constant c, modulo 
2"+l . To see how this works, we give a short example. While computing with our binary 
strings, we will not identify them with the set of numbers {0, 1, ..., 2"-l}. Instead we 
will take the set {1, 2, ..., 2"}, thus replacing zero by 2". If 2"+l is prime, then MULT_c 
is a fixed point-free, regular permutation. This can be seen as follows. If MULT_c were 
not regular, then an appropriate power of MULT_c would have some fixed points. This, 
however, is impossible, since nonzero multiplication in a prime modulus is invertible, 
which implies that ca a for every c i* 1 and a * 0. The operation MULT_c can 
efficiently be executed by a method called „low-high multiplication**, as described in 
Lai [Lai], page 35. 

Lemma; The basic operation MULT_c, considered as a permutation on the set of n-bit 
binary vectors, is even if and only if c is a quadratic residue modulo 2" +1 . 

Proof: The set {MULT_c | 1 < c < 2"} forms a group G of order 2" containing both, odd 
and even permutations. This follows, since G always contains an odd cycle MULT_d of 
length 2", where d is a generator of the multiplicative group of the prime field 
Z/(2"+l)Z. Each permutation group containing odd elements has an equal number of 
odd and even elements. 

If c is a quadratic residue modulo 2" + 1 , then MULT_c must be an even permutation. 
But (Z/(2" + 1)Z)’ has exactly 2"‘‘ quadratic residues, hence each quadratic nonresidue e 
G (Z/(2" + 1)Z)* must yield an odd permutation MULT e. This proves the assertion. 

Example: let n = 2, then 2"+l = 5 is prime; as a result, the following permutations do 
occur: MULT_2 s (1, 2, 4, 3), MULTJ s (1, 3, 4, 2), MULT_4 s (1, 4)(2, 3). 




18 



2.2 Closure and Generating Properties of Individual Functions 

We have the following generator properties of individual basic operations. Here, <M> 
denotes the group generated by the set M. 

<{XOR_c I c e {0, 1 }“}> = <{XOR_Cj | 1 < j < n} >, where Cj ;= [b,b 2 ...bj, with bj = 5^. 
The resulting group is an elementary abelian 2-group of order 2", which is isomorphic to 
(Zj)". Every minimal generating set for this group comprises of n elements. 

<{SHIFT_k I 0 < k < n}> = <SHIFT_1>. The generated group is isomorphic to the 
cyclic group of order n. 

<{ADD_c I 0 < c < 2"}> = <ADD_1>. The generated group is isomorphic to the cyclic 
group of order 2". 

<{MULT_c I 0 < c < 2"}>, where p ;= 2" + 1 is prime. Then the multiplicative group 
(Zp)* is cyclic and we find a generating element g such that <{MULT_c | 0 < c < 2"}> = 
<MULT_g>. Hence, this group is isomorphic to a cyclic group of order 2". If 2" + 1 is 
not prime, then the structure of the multiplicative group of Z/(2" + 1)Z varies in 
accordance with n. In practice, however, we use the operation MULT only in Fermat 
prime moduli, which is the case for n = 8 and n = 1 6, for example. 

<{MUL_c I c odd, 0 < c < 2"}> = <MUL_a, MUL_-1>, where a is an element of order 
2"'^. The multiplicative group of ZKTZ) is an abelian group of order 2"‘‘. This group is 
isomorphic to Z/(2"'^Z) x Z/(2Z). 

3 Combination of Basic Operations 

In the above sections we have studied several types of basic operations that can be used 
in the construction of fast software encryption schemes. Now the question arises which 
specific subsets of those basic operations should be combined together to achieve a 
large number of encryption functions, i.e. permutations of binary n-bit vectors, with 
presumably high structural complexity? Therefore, we have to analyze the group 
generating properties of different combinations of those basic operations. In the present 
paper, due to its space limitations, we restricted ourselves to a collection of some 
interesting pairs of generators, resulting in different permutation groups. 

As we will see, there are surprisingly big differences among slightly different mixtures. 
For example, consider two different cryptosystems operating on binary input vectors of 
length n, the first consisting of a combination of SHIFT and XOR operations, while the 
second system is using a combination of SHIFT and ADD operations. Then the first 
scheme will only be able to produce at most n2” different, simple-structured 
„encryptions“, while the second scheme has the power to generate the whole amount of 
2"! possible encryption functions. 

If we further mention the result that, taken two arbitrary permutations fi'om the 
symmetric group of degree n, it is most probable that those two elements already 




19 



generate the whole alternating or symmetric group (probability ^ 1 for n -> oo), then it 
is even more surprising that the groups generated by different pairs of basic operations 
are much smaller in most cases. 



3.1 {XOR, SHIFT} : Semidirect Products 

Theorem: The group G generated by the set S:= {SHIFT_d, XOR_c | 0 < d < n, c e 
{0,1 }”} of all SHIFT and XOR operations is isomorphic to a semidirect product G = NU 
of an elementary abelian 2-group N of order 2" by a cyclic group U of order n. The order 
of G is equal to n2" and G can be generated by n -t- 1 elements. If n = 2'‘ is a power of 2, 
then G is a nonabelian 2-group of order The maximal required word length with 
generating set S is equal to 2. 

Proof: Suppose we have a finite sequence a,a 2 ...a,„ of XOR and SHIFT operations. Then 
it is always possible to replace this sequence by a single XOR operation, followed by a 
single SHIFT operation (or, alternatively, first SHIFT and afterwards XOR). The reason 
for this is the following obvious exchange property: 

XOR_e • SHIFT_d = SHIFT_d ■ XOR_c, where c := SHIFT_-d(e). 

Hence, we only have to enumerate all n2" possible words SHIFT_d • XOR_c to get all 
elements of the group generated by the set {SHIFT_d, XOR_c | 0 < d < n, c 6 {0,1}"}. 
The cardinality of this group is equal to n2": Suppose that SHIFT_d, • XOR_c, = 
SHIFT_d 2 -X0R_C2. Then left multiplication of both sides by SHIFT_-d, yields: 
XOR_c, = SHIFT_(d 2 -d,) • XOR_C 2 . If we apply both sides to the register A := C 2 , then 
we get (c, XOR C 2 ) = 0. It follows that c, = C 2 , which further implies that d, = dj. We 
have shown that the group generated by XOR and SHIFT operations is of order n2“. 

Next we have to determine the structure of this group. The set N := {XOR_c | c e 
{0,1}"} of XOR operations is a subgroup of the alternating group of degree 2" and is 
isomorphic to an elementary abelian 2-group, N = (Zj)". The set U := {SHIFT_d [ 0 < d 
< n} is isomorphic to a cyclic subgroup of order n. Further, let XOR_c e N and 
SHIFT_d e U be two arbitrary elements of the above sets, then 
SHIFT_d • XOR_c ■ (SHIFT_d) ‘ = SHIFT_d • XOR_c • SHIFT_-d = XOR_e e N, with 
e := SHIFT_-d(c). Hence, N is a normal subgroup of the product group UN = NU. Since 
N n U = {id}, this shows that the set {SHIFT_d, XOR c | 0 < d < n, c e {0,1 }"} = NU 
is a semidirect product of N by U whose order is n2". 

If the register length n = 2‘‘ is a power of two, the order of G is also a power of two and 
G is a nonabelian 2-group of order 2'“*". G can be generated by n+1 elements: one 
SHIFT and n XOR operations, as shown in the previous section. If we take the 
generating set {SHIFT_d, XOR_c | 0 < d < n, c e {0,1 }"} for G, then the diameter of the 
corresponding Cayley graph is equal to 2. 




20 



3.2 {ADD, SHIFT} : Symmetric Groups of Degree 2" 

Theorem: The group G of degree 2", n e N, generated by the set {ADD_c, SHIFT_d | 0 
< c < 2", 0 < d < n} of all ADD and SHIFT operations is isomorphic to the symmetric 
group of degree 2". 

Proof: Our strategy is to construct a specific group element g e G whose existence 
within primitive groups of sufficiently large degree forces the group to be isomorphic to 
the alternating or symmetric group of corresponding degree. Therefore, our first task is 
to prove that the generated group G is not imprimitive. Suppose that G is imprimitive 
and A c Q := {0, 1, 2, 2”' '} is a nontrivial block for G (i.e. 1 < |A| < 2”) containing 
zero, 0 e A. If A contains an odd element a, 0 < a < 2", then a = ADD_a(0) and therefore 
A = ADD_a(A). Further, this implies that A = (ADD_a)'(A) for every 0 < i < n. But for 
odd a we have <{(ADD_a)‘ | 0 < i < n}> = <ADD_1>. Hence, it follows that O = 
<ADD_1>(0) c A, which shows that in this case A = Q, a contradiction. Hence, A 
contains only even numbers. Let k e A be such an even number, k 0. Then the binary 
n-bit register representing the integer k contains at least one bit equal to 1. By an 
appropriate power SHIFT_c of SHIFT l, this „1“ can be shifted by c positions to the 
least significant bit of our register, the result of this operation thus representing an odd 
number. Since 0 is a fixed point of SHIFT c, we see that SHIFT c(A) = A. But then we 
also have SHIFT_c(k) e A, which is a contradiction, since, by construction, SHIFT_c(k) 
is odd. Hence, the group G must be primitive. 

The second step of our proof is the construction of an appropriate group element g, from 
which we can deduce that G contains the alternating group of degree 2”. Here, we will 
show that the primitive group G of degree 2” always contains a 2""'-cycIe g. Let s be a 
cycle, s = (Si, Sj, Sj, ..., s,), and let t be an arbitrary permutation. Then one can verily that 
it always holds the equation tsf' = (t(s,), t(s 2 ), t(s 3 ), ..., t(s,)); the conjugate of s has the 
same cycle structure than s itself. It is obvious that the same then holds for arbitrary 
permutations s, s consisting of two or more nontrivial cycles. 

Now consider the 2”-cycle ADD_1 = (0, 1, 2, 3, ..., 2" - 1) e G. By the above 
observation we see that a := SHIFT l ■ ADD l ■ SHIFT - 1 = 

= (SHIFT_1(0), SHIFT_1(1), SHIFT_1(2), SHIFT_1(3), ..., SHIFT_I(2" - 1)). 

For 0 < m < 2""'-l we have SHIFT_l(m) = 2m, since the rightmost bit in the binary 
representation of m is zero. Hence, in this case the logical shift SHIFT_1 is equivalent 
to an arithmetic shift. For 2"'‘ < m < 2" -1 we can write m = 2" ' + m’, 0 < m’ < 2”''-l . 
This allows us to see that for such m we get SHIFT_l(m) = SHIFT_1(2“ ') + 
SHIFT_l(m’) = 1 + 2m’. Therefore, the above permutation is equal to a = (0, 2, 4, 
6,...,2" - 2, 1, 3, 5,..., 2" - 1). From this, by setting e ;= 2 ”'\ we get a' = (0, 1)(2, 3)(4, 
5)...(2" - 2, 2" - 1). Finally, we compute g ;= ADD_-1 • a' = (2" - 1, 2" - 3, 2" - 5, ..., 3, 1). 
This element g fixes every even number and, as desired, is a cycle of length 2"''. Since 
every primitive permutation group of degree 2” containing a cycle of length 2""’ is (at 
least) (2" '+l)-fold transitive ([Wiel], Theorem 13.8), we see that for register length n, n 
> 2, the group G must be 9-fold transitive. But (see the classification of finite simple 
groups and [Came], for example) we know that in this case G must be isomorphic to 
either the alternating or symmetric group of corresponding degree. Since G contains odd 




21 



elements (take the 2"-cycle ADD_1, for example), G is isomorphic to the symmetric 
group of degree 2". Also, for n = 2, we get G = <ADD_1, SHIFT_1> = <(0,1,2,3), (1,2)> 

3.3 {MUL, SHIFT} : Symmetric Groups of Degree Z’ - 1 

Since 0 is a fixed point for MUL as well as for SHIFT operations, it is reasonable to 
consider zero as an exceptional value here. Therefore, we will subsequently consider the 
operation of G = <{MUL_c, SHIFT d | 0 < c < 2”, c odd, 0 < d < n}> on the set of 
register variables = Q - {0} = {1, 2, 3, ..., 2"- 1}. 

Theorem: The group G = <{MUL_c, SHIFT_d | 0 < c < 2”, c odd, 0 < d < n}> of 
degree 2”- 1, n e N, generated by all MUL and SHIFT operations acting on the set Q‘ = 
G - {0} of order 2” - 1 , is isomorphic to the synunetric group of degree 2” - 1 . 

Proof: Our strategy is as follows. First we show that G is transitive, primitive, and then, 
by a quite technical procedure, we construct an element in G which is a 3-cycle. 

Let X, y 6 Q‘ be two arbitrary points. First we show that there exists a permutation n e 
G such that 7t(x) = y. 

Case 1 : x and y are odd. By MUL_y, since y is odd, we can map 1 onto y. In the same 
way we can map x onto 1 by taking the inverse of MUL_x, i.e. multiplication by x’’. 
Combining both operations yields MUL_x''y(x) = y, as desired. 

Case 2; x even, y odd. Since x 0, we can shift x by an appropriate number k of 
positions, such that the least significant bit of x’ := SHlFT_k(x) is equal to „1“, thus x’ 
is odd. Now we can apply case (1) above on x’ and map x’ onto y. This shows that a 
combination of one SHIFT followed by one MUL operation can map x onto y. 

Case 3: x odd, y even. By simply taking inverse permutations, this is the same as in (2). 
Case 4; x and y are even. This is an immediate consequence of cases (2) and (3). 

Hence, the group G acts transitive on f2‘. However, we note that, in the general case, we 
need a sequence of not only two but three basic operations to map two arbitrary even 
numbers onto each other. The resulting operation has the form SHIFT ■ MUL ■ SHIFT. 
Now we have to show that the above transitive operation is primitive. Let A be a block 
for G which contains -1 . If we assume |A| > 1, then A contains an element c having zeros 
and ones in its binary representation. Since SHIFT_1(A) = A, this shows that A contains 
both, even as well as odd elements: simply shift c by an appropriate number of 
positions. 

Consider the permutation MUL_(2"'‘ + 1) e G. MUL_(2“’' + 1) is an involution that 
fixes every even element and consists of transpositions of the form (x, x + 2"‘‘ mod 2”). 
This can be seen as follows. Let x = 2y + 1 be odd. Then MUL_(2"'‘ + l)(x) = (2”"' + 
l)(2y + 1) = 2"y + 2" ' + 2y + 1 = x + 2"'' (mod 2"). Further, (2"'' + 1)^ = 1 (mod 2"), 
which shows that the order of MUL_(2" ' + 1) is equal to two. As we have noted, A 
contains even elements, and therefore MUL_(2”'' + 1)(A) = A. It follows that, for every 

odd element [b„.„ b„_ 2 , ..., b,, 1] in A, we also have [1 - b„.„ h „.2 b„ 1] e A. 

Suppose we have a number in A whose binary representation has the form [..., bj+ 2 , 1, bj, 
....], then we can shift the „1“ to the rightmost position, replace bj by 1 - bj, shift back 




22 



and finally get the element [..., bj+ 2 , U 1 - bj, ....] e A. Thus, we can construct every 
binary n-bit vector which is different from the all-zero vector by starting from -1 = [1, 1, 
1] and then replacing I’s and O’s accordingly. This is always possible if we start 
constructing each substring of adjacent zero positions by begirming replacement with 
the rightmost position within this substring. As we have shown, the block A must 
contain the whole set £1‘ = {1, 2, 3, ..., 2" '}. Hence, the group G acts primitive on Q’. 

We proceed by shortly explaining the action of some specific permutations in G, which 
we will combine subsequently to yield the appropriate 3 -cycle, forcing our group to be 
either alternating or symmetric. 

(i) Structure of SHIFT - 1 : 

The general structure is as follows: SHIFT_-1 maps 
X -> x/2, X even; x -> (x - 1)/2 + 2" ‘, x odd. 

Example n = 4: SHIFT_-1 = (0)(1,8,4,2)(3,9,12,6)(5,10)(7,1 1,13,14)(15) 

(ii) Structure of MUL_(2"‘' + 1): 

The general structure is as follows: MUL_(2""' + 1) maps 
x ^ x, X even; x -> x + 2”'’ mod 2”, x odd; 

Example n = 4: (0)(2)(4)(6)(8)(10)(12)(14)(1,9)(3,1 1)(5,13)(7,15) 

(iii) Structure of A := (MUL_(2"-‘ -h 1))*™^--': 

Let s be a cycle, s = (s,, Sj, Sj, ..., s^), and let t be an arbitrary permutation. Then tsf' = 
(t(s,), t(s 2 ), t(Sj), ..., t(S|J). Hence we can see that, by the above analysis of the structure 
of MUL_(2"'' + 1) and SHIFT_-1, we get the following cycle structure of the 
permutation A:= (MUL_(2"'’ + 1))®”“^-': 

The fixed points of A comprise of the set {x/2, 0 < x < 2", x even} = {0, 1, 2, 3,..., 2"'' - 
1 }. The transpositions in A have the form (x, x -i- , where 1 ^ x < 2"'', x odd, 

which yields transpositions of the following form: 

( (x - l)/2 -t- 2"-', (X + 2"-' - l)/2 + 2”-' ) = ( (x - 1)/2 -l- 2"’', (x - l)/2 + 2"'’ + 2"’^ ), where 1 
< X < 2""', X odd. As we can see, the permutation A does not move any element of size 
smaller than 2"''. Example n = 4: A = (8,12)(9,13)(10,14)(1 1,15). 

(iv) Structure of B := 

First, notice that MUL_-1 consists of two fixed points, namely 0 and 2"‘', together with 
transpositions of the form (x, 2" - x), for x = 1, 2, ..., 2" ‘ - 1. 

Thus, under conjugation by MUL_-1, the fixed points of A move into the following set 
of fixed points of B = A^-’: {0} u (2” - x, 1 < x < 2"-’ - 1} = (0, 2"-' + 1, 2"' + 2, 2"' 
-t- 3, ..., 2" - 1 }. Hence, the permutation B does not move any element of size larger than 
2"-'. Example n = 4: B = (1,5)(2,6)(3,7)(4,8). 

We combine the above observations and consider the product of A and B. Both 
permutations, A and B, are involutions. The only element which is going to be moved 
by A as well as by B is the element 2" '. Therefore, the permutation AB e G consists of 
the union of those transpositions of A and B which do not contain the element 2""', 
together with exactly one further cycle of length 3. This 3-cycle (x, y, 2"'‘) stems from 
the product of a transposition (x, 2" ') in A with a transposition (y, 2"'') in B. The square 
C := (AB)^ e G is a 3-cycle. Since the group G is primitive, this proves that G contains 
the alternating group of degree 2” - 1. Further, the group G contains odd permutations 
(take SHIFT_1, for example). Therefore, G is isomorphic to the symmetric group of 
degree 2” - 1 . 




23 



3.4 Groups of Larger Subsets of Basic Operations 

In the above sections we studied the properties of each individual basic operation, as 
well as the combinatorial properties of different pairs of possible combinations of those 
basic operations. With this knowledge about specific groups, each generated by two 
types of generating functions, it is relatively easy to determine the algebraic structure of 
larger generating subsets. If, for example, we have a pair {A, B} of basic operations, 
such that {A, B} already generates the whole symmetric group of degree 2", then 
obviously every larger set {A, B, C, ...} of basic operations forms also a generating set 
for this group. This applies, for example, to the systems {XOR, SHIFT, ADD}, (MUL, 
SHIFT, ADD}, {XOR, SHIFT, MUL}. As a fiinny property in this context, we can 
observe the following. Every addition ADD_c, 0 < c < 2", n e N, can be executed as a 
sequence of multiplications modulo 2” and multiplications modulo 2" + 1, i.e. ADD c 
<MUL, MULT>. By this property we get additional results on subsets of basic 
operations which can generate the complete symmetric group of degree 2”. This holds, 
for example, for the generating set {MULT, SHIFT, MUL}. 



4 MIX-2 - A Simple System Generating the Symmetric Group 
4.1 Description of MIX-2 

Based upon our analysis of basic encryption operations in the previous section, we will 
present a simple three-line algorithm named MIX-2 which is able to produce every 
possible permutation on its set of input vectors, i.e. MIX-2 can generate the symmetric 
group. MIX-2 uses only two different operations, namely SHIFT_a and ADD_b. Here, a 
and b are odd. The register length n depends on the computer; for example n = 64. We 
will deduce that the round function of MIX-2, as well as the full-round MIX-2 scheme 
do generate the whole symmetric group of degree 2". 

Let r denote the number of rounds, M the input vector of length n, and let (b„ bj, ..., b,) 
be the first r bits of the key K. Then the complete MlX-2 algorithm can be described as 
follows. 

FOR (i = 0; i < r; -H-i) 

IF bi ADD_b(M); 

ELSE SHIFT_a(M); 

As our key K we take a binary k-bit vector K = (b„ bj, ..., b,J, k being (preferrably) a 
power of two, for example k = 256. The number r of rounds is equal to k - (n + logj (n) - 
2). If n = 64, for example, then we get r = 256 - 64 - 6 + 2 = 1 88. Here, the bit sequence 
(b,+i, b,+ 2 . br„,.|, 1) provides the binary representation of the odd number b. Similiarly, 

the sequence (b,. 4 .„, br,.„+,, ..., b^, 1) represents the odd number a, 0 < a < 2". Now we can 
show the generator property of MIX-2. 




24 



Theorem: The full-round MIX-2, as well as its set of round functions, can generate the 
symmetric group of degree n, where n is the length of the input vectors. 

Proof: As we have shown, the set of all SHIFT and ADD operations {SHIFT_x, ADD _y 
I 0 < X < n, 0 < y < 2”} generates the symmetric group of degree 2°. But for every odd a 
and odd b, we have <SHIFT_a> = <{SHIFT_x| 0 < x < n} and <ADD_b> = <{ ADD_y | 
0 < y < 2”}>. Hence, the two basic operations SHIFT_a and ADD_b, and therefore the 
round functions of MIX-2, do generate the symmetric group. 

Now we have to study the resulting permutations of MIX-2 after r rounds. Take key K, 
:= (1„ I 2 , ..., If, •••)) then MIX-2 using this key corresponds with a simple ADD_rb 
operation. By the above definition it follows that r is odd, hence rb is odd and 
<ADD_rb> = <{ ADD_y | 0 < y < 2"}>. Similiarly, by taking key = (0„ Oj, ..., 0„ 
...), we see that SHIFT_ra generates all SHIFT operations. Thus we have shown that 
MIX-2 generates the symmetric group. 



4.2 Poor Combinatorial Behaviour Through Different Functions in MIX-2 

In the above definition of MIX-2, we could have chosen other pairs of basic operations 
as well. Suppose we replace the addition modulo 2", ADD_b, by the similiar operation 
XOR_b (in this case, the constant b does not have to be odd). The difference between 
the XOR_b and the ADD_b operation consists, simply speaking, only in the 
consideration of cany bits. Some cryptographic properties of those carry bits have 
already been studied in another, non-combinatorial setting, by W. Meier and 0. 
Staffelbach [StafTMei]. It is the propagation of those carry bits that saves the above 
algorithm from complete nonsense. The result of the replacement of ADD by XOR is 
disastrous. Independent from the actual number of rounds r, the resulting function 

FOR (i = 0; i < r; ++i) 

IF bj XOR_b(M); 

ELSE SHIFT_a(M); 

shrinks and is equivalent to a ,,2-round version“ 

XOR_b’(M); 

SHIFT_a’(M); 

of the previous algorithm, where the corresponding key K = (b,, b^, ...) can be chosen as 
K = (1, 0, ...), for example. 

Exactly the same problem occurs if, alternatively, we keep the ADD operator, but 
replace the SHIFT_a operator by MUL_a, i.e. multiplication modulo 2". (Here we have 
to adjust key lengths appropriately, since the odd constant a now satisfies 0 < a < 2".) 
Again, the complete algorithm 



FOR (i = 0; i < r; -H-i) 

IF bj ADD_b(M); 
ELSE MUL_a(M); 




25 



is reducible to 
ADD_b’(M); 

MUL_a’(M); 

since the affine general linear group AGL(1, 2") generated by those operations is a 
semidirect product AGL(1, 2") = GH of a group G by a group H, where G is generated 
by the set {ADD x | 0 < x < 2", x odd} and H is generated by the set {MUL_y | 0 < y < 
2", y odd}. The shrinking property follows, similiarly as in the previous case of <XOR, 
SHIFT>, from the fact that GH = HG. 

Another weakness occurs if we consider the pairs {XOR, ADD} or {XOR, MUL} as 
ingredients to the above MIX-2 system. Both resulting permutation groups are 
imprimitive in the sense that the set of odd input vectors and the set of even input 
vectors (i.e. least significant bit equal to 1 or 0, respectively) are permuted among 
themselves. Suppose we know one plaintext-ciphertext pair. Then, for example, if both 
text strings are even, we can deduce that every even (odd) plaintext will be mapped into 
an even (odd) ciphertext. For a cryptosystem, of course, this property would be 
intolerable. Note also that the multiplication operator MUL_a(.) always preserves the 
least significant bit of its operand. This fact, together with its relatively slow running 
time, is an additional disadvantage of the MUL operation. 

Note that there exist examples in the literature, one of which had been designed by S. 
Murphy, K. Paterson, and P. Wild [Mur/Pate/Wil], to demonstrate the existence of a 
weak cipher that nevertheless can generate the symmetric group. In their block 
encryption scheme, however, one of the bijections in the roimd function consists of a 
trivial permutation 9 whose cycle decomposition is 0 = (0)(2”'')(1, 2, ..., 2”'' - 1, 2°'‘ + 1, 
..., 2" -3, 2“ - 2, 2""’). Thus, in all but a few cases, 0 just increments its input by one, 
which is, of course, no very helpful encryption step. As the authors show, their 
cryptosystem, whose second encryption component is an XOR with the secret round 
key, can easily be broken by a known plaintext attack. We remark that MIX-2 is just a 
good example demonstrating a very simple algorithm having the potential to generate 
the whole symmetric group. We did not call it a cryptosystem and do not assume that 
MIX-2, without further ingredients and modifications, is of any use as a strong block 
cipher. Nevertheless, it is not that easy to break MlX-2, in comparison with its quite 
trivial structure. The above provides another reason to recommend the implementation 
of subroutines having strong combinatorial properties. 



5 Conclusions 

As we have shown, care has to be taken in the right combination of basic computer 
instructions to strengthen the combinatorial properties of an encryption algorithm. Since 
most schemes involve data-dependence of their basic encryption operations, some 
randomness assumptions have to be accepted in practice and further research in this 
direction should be undertaken to facilitate the determination of the group generated by 




26 



a given block encryption scheme. We analyzed the algebraic structure of different 
combinations of some basic encryption operations from a purely combinatorial point of 
view. Different subsets of such operations yield an interesting variety of different 
permutation groups, e.g. semidirect products, affine linear groups, wreath products, and 
symmetric groups. Even though the above results are useful in theory at first, their 
cryptographic applications can be found in providing practical tools for the analysis of 
the algebraic structure of block encryption schemes and combinatorial evaluation of 
their subroutines. 

6 Bibliography 

[Came] P. J. Cameron, Finite permutation groups and finite simple groups. Bull. 
London Math. Soc. 13 (1981), pages 1-22. 

[CampK/Wien] K. Campbell, and M. Wiener, DES is not a group, Proc. of Crypto’92, 
pages 512-520. 

[Cop/Gro] D. Coppersmith, and E. Grossman, Generators for certain alternating 
groups with applications to cryptography, SIAM Journal Appl. Math., 29(4), pages 624- 
627, 1975. 

[Eve/Gol2] S. Even, and O. Goldreich, DES-like functions can generate the alternating 
group, IEEE Transaction on Inf. Theory, IT-29(6), pages 863-865, 1983. 

[Hup] B. Huppert, Endliche Gruppen 1, 2. Nachdruck der 1 .Auflage, Springer- Verlag 
Berlin, Heidelberg, New York 1 967. 

[Hup/Bla] B. Huppert, and N. Blackburn, Finite groups 3, Springer-Verlag Berlin, 
Heidelberg, New York 1982. 

[Isa/Zie] I. M. Isaacs, and T. E. Zieschang, Generating symmetric groups, American 
Math. Mon., Oct. 1995, pages 734-739. 

[Mur/PateAVil] S. Murphy, K. Paterson, and P. Wild, A weak cipher that generates the 
symmetric group, J.Cryptology (1994) 7, pages 61 - 65, 

[Pie/Zha] J. Pieprzyk, and X. Zhang, Permutation generators of alternating groups, 
Auscrypt’90, pages 237-244. 

[Staf/Mei] O. Staffelbach, and W. Meier, Cryptographic Significance of the Carry for 
Ciphers Based on Integer Addition, Crypto’90, pages 601 - 614. 

[Wer] R. Wemsdorf, The 1-round functions of DES generate the alternating group, 
Proc. of Eurocrypf 92, pages 99-1 12 



[Wiel] H. Wielandt, Finite permutation groups. Academic 1964. 




A New Public-Key Cryptosystem 



David Naccache 

Gemplus Card International 
1 place de la Mediterranee 
Sarcelles cedex, F-95206, France 
100142 . 3240ecompuserve , com 



Jacques Stern 

Ecole Normale Superieure 
45 rue d’Ulm 

Paris CEDEX 5, F-75230, France 
Jacques . sternfiens . fr 



Abstract. This paper describes a new public-key cryptosystem where 
the ciphertext is obtained by multiplying the public-keys indexed by the 
message bits and the cleartext is recovered by factoring the ciphertext 
raised to a secret power. Encryption requires four multiplications / byte 
and decryption is roughly equivalent to the generation of an RSA signa- 
ture. 



1 Introduction 

It is striking to observe that two decades after the discovery of public-key cryp- 
tography, the cryptographer’s toolbox contains only a dozen of asymmetric en- 
cryption schemes. This rarity and the fact that today’s most popular schemes 
had so far defied all complexity classification attempts strongly motivates the 
design of new asymmetric cryptosystems. 

Interestingly, the cryptographic community has been relatively more success- 
ful in the related field of identification, where a user attempts to convince another 
entity of his identity by means of an on-line communication. For example, there 
have been several attempts to build identification protocols based on simple 
operations (see [19, 21, 22, 16]). Although the devising of new public key cryp- 
tosystems appears much more difficult (since it deals with trapdoor functions 
rather than simple one-way functions) we feel that research in this direction is 
still in order : simple yet efficient constructions may have been overlooked and, 
in a way, the present paper is an example of such a situation. 

As observed by [18], most asymmetric encryption schemes present the fol- 
lowing common design morphology : 

• Start with an intractable problem P and find an easy instance P[easy] G P 
which should be solvable in polynomial space and time. 

• Shuffle or scramble P[easy] until the resulting problem P[shuffle] does not 
resemble P[easy] any more and becomes indistinguishable from P. 

• Publish P[shuffle] and describe how it should be used for encryption. The 
information s by the means of which P[shuffle] is reduced to P[easy] is kept as a 
secret trapdoor. 

• Construct the cryptosystem in such a way that decryption is essentially differ- 
ent for the cryptanalyst and the legitimate receiver. Whilst the former must solve 
P[shuffle], the latter may use s and solve only P[easy]. 



W. Fumy (Ed.): Advances in Cryptology - EUROCRYPT ’97, LNCS 1233, pp. 27-36, 1997. 
© Springer- Verlag Berlin Fleidelberg 1997 




28 



Roughly at the same time when RSA was discovered [17], knapsack encryp- 
tion was introduced by Merkle and Heilman [11]. It used the knapsack problem 
where R[easy] was superincreasing and shuffling was a linear operation modulo 
some large integer. As is well known, the knapsack cryptosystem was broken by 
Shamir. A variant of the knapsack system was proposed by Chor and Rivest 
[4] where shuffling was more elaborate since it was based on computing discrete 
logarithms in finite fields. Later on, building on Chor and Rivest’s work, Lenstra 
[10] introduced the powerline system which, instead of computing logarithms, 
used directly the multiplicative structure of the field. For the sake of accurate pa- 
ternity respect, let us stress that the construction presented in this paper uses a 
multiplicative version of the basic (additive) knapsack problem by combining two 
old, and once well-known, techniques : the multiplicative Merkle-Hellman knap- 
sack [11] and Pohlig-Hellman’s secret-key cryptosystem [15]. The new scheme 
therefore relates to Merkle-Hellman ’s cryptosystem very much the same way as 
the powerline system is related to the Chor-Rivest scheme. Actually, we were not 
aware of [10] and it is through a note by Paul Camion [3] that we understood 
that we had found a missing species. 

The scheme presented in this article is based on the following problem : 

P : given p, c and a set {w,}, find a binary vector x such that 



n 

c — uf ’ mod p 
i=0 

It is easy to observe that if the w,-s are relatively prime and much smaller 
than p, P can be solved in polynomial time by factoring c : 

n 

/’[easy] is an instance of P where p > fl *^nd ged (u,-, Vj) = 1 for i ^ j. 

1=0 

The scrambled P[shufHe] is obtained by extracting a secret (s-th) modular 
root of each o, in P[easy]. By raising a product of such roots to the s-th power, 
each Vi shrinks back to its original size and x can be found by factoring. 

The following sections describe how to use P for public-key encryption. 



2 The new scheme 

Let p be a large public prime and denote by n the largest integer such that ; 



n 

P> n Pi where p, is the i-th prime (start from po = 2) 

1=0 

The secret- key s < p — 1 is a random integer such that gcd(p — 1, s) = 1 and 
the public-keys are the n -f- 1 roots generated d la Pohlig-Hellman [15] : 



Vi = mod p 




29 



n n 

m = ^ 2*m,- G is encrypted as c = 0 P recovered by ; 

1=0 t — 0 



! = 0 



2 ’ 



Pi - 1 



^ gcd(pi , c® mod p) — 1 j 



Naturally, as in all knapsack-type systems, the ViS can be permuted and 
re-indexed for increased security. 



2.1 a small example 

key generation for n = 7 The prime p 
and the secret s = 5642069 yield the 

Vo ~ f/2 mod p = 8567078 
= t/ 3 mod p = 5509479 
V '2 = f/E mod p = 2006538 
V 3 = f/7 mod p = 4340987 

encryption ofm = 202 = IIOOIOIO 2 

c = t;7 X Ug X Ug X U4 X V3 X 



= 9700247 >2x3x5x7x11x13x17x19 
'-list : 

114 = \/TT mod p = 8643477 
Vo — \/l3 mod p = 6404090 
vg — -s/vi mod p = 1424105 
?/’7 = f/l9 mod p = 7671241 

X x Dg mod p = 7202882 



decryption by exponentiation, we retrieve : 

c’ mod p = 7202882®®^^°®® mod 9700247 = 6783 

whereby : 

6783 = 19^ X 17^ X 13° x 11° x 7^ x 5° x 3^ x 2° m= IIOOIOIO 2 



information rate The information rate of our scheme (number of cleartext bits 
packed into each ciphertext bit) is sub-optimal since, in this example : 



log (m) / log (c) = ^ - 33.33% < 1 



2.2 p as a function of n 

Evaluating the growth of p and n is important for comparing and understanding 
the characteristics on the new scheme since message-space mainly depends on n 
while computational complexity is proportional to the square of p’s size. 
Lemma 1 Asymptotically : 

p ~ n!log"(Tj) where li(n) = / ~ ■; — 7 -^ 

whereas interpolation for 128 < n < 418 and 989 < logp < 4096 yields ; 




30 



|10001ogp+ 144525 -n (8062.11 + 6.74 n)+ 4.26337 (tj./10)^ I < 1012 

The following table summarises the relation between p and n for five frequent 
sizes of p : 



size of p 


n 


Pn 


M 


size of the u-list 


I 


512 bits 


74 


379 


75 bits 


4,800 bytes 


14.6% 


640 bits 


88 


461 


89 bits 


7 , 120 bytes 


13.9 % 


768 bits 


103 


569 


104 bits 


9,984 bytes 


13.5 % 


1,024 bits 


130 


739 


131 bits 


16,768 bytes 


12.8 % 


2,048 bits 


232 


1471 


233 bits 


59,648 bytes 


11.4 % 



Although, as explained in the next sub-section, the first three instances (512, 
640 and 768) are only given for illustrative purpose. 



2.3 The size of p 

M must be sufficiently large (we recommend at. least n > 160) to prevent 
birthday-search [20] through two lists of 2”^^ elements to find a couple of sets 
such that : 



n ~ ( n ^‘ ] ^ p 

M and I can be increased by combining the following strategies : 

n 

Represent m in a non-binary base (m = ^ r’m, , 0 < m, < r) and let 

1=0 



i=0 

Encryption and decryption become : 



v”'' mod p and m = 



J = 0 



log (Pi) 



X log gcd(p[’ ^ , c* mod p) 



size of p 


n 


Pn 


r 


M 


size of the n-list 


I 


1 , 024 bits 




379 


~3 


119 bits 


9,600 bytes 


11.6 % 


2,048 bits 
1 


EIQ 


739 


3 


208 bits 


33,536 bytes 


10.2% 


2 , 048 bits 




491 


4 


188 bits 


24,064 bytes 


9.2 % 


2 , 048 bits 


la 


223 






12,288 bytes 


7.0 % 


2 , 048 bits 




173 


EQ 


133 bits 

1 


10,240 bytes 


6.5 % 





















31 



n n n 

Let p < Yl P’ tiuL restrict ^ m, — w so that Vm E M, Y\ pT' < p- 
1 = 0 i=0 1 = 0 

This variant implies a non-standard coding (constant-weight messages are 
rather suited to random-challenge identification and less for encryption) but 
results in drastically smaller n-lists ; 



size of p 


n 


Pn 


w 


M 


size of the n-list 


X 


612 bits 


131 


743 


55 


125 bits 


8,448 bytes 


24.4 % 


512 bits 




1747 


47 


176 bits 


17,408 bytes 


34.4% 


768 bits 


199 


1223 


76 


187 bits 


19,200 bytes 


24.3% 


768 bits 


274 


1777 


71 


222 bits 


26,400 bytes 


28.9% 


1 , 024 bits 


419 


2903 


89 


308 bits 


53,760 bytes 


30.1% 


1,024 bits 


479 


3413 


87 


323 bits 


61,440 bytes 


31.5 % 



n 

Note that it is also possible to require that ^ mi < u> but this complicates 

i=() 



coding and has a very limited effect on X. 



2.4 The arithmetic properties of p 



The mulipliticative property of the Legendre symbol yields ; 



(-1)”’' = ^ ^ j where T = {0 < f < n, pi 6 /VQRpJ 

ieA ^ 

Even if the leakage of the bit : 

6 = trii mod 2 

ieA 

is not serious in itself, it may become dangerous in some specific scenari; typically, 
if the same m is sent to several users, relations of the form 



bj = m, mod 2 

i£set\j] 

can be collected and m reconstructed by linear algebra. 

A trivial countermeasure would be to restrict p, G QRp (in this case, s 
can also be even)^ but one may proceed in a more elegant way by specifying 
Po = 2 G NQRp and simila similibus curantur, let 



cancel b. 



niQ 






mod 2 



* there are exactly 54 one-byte primes, 43 nine-bit primes and 75 ten-bit primes. If one 
has to discard half of them, and if one wrints to have a sub-minimal 160-bit message 
space, 50 of the primes will be eleven-bit numbers and key generation will only be 
possible in the lucky event where the quadratic residues have an uneven distribution 
and concentrate on small values. 





32 



Other small factors of p — 1 produce similar phenomena. If q is such a factor, 
then, by raising the ciphertext to the power (p— 1) /q, one ends up with an element 
of a multiplicative sub-group of order q. Since q is small, discrete logarithms can 
be computed in this sub-group and yield a linear equation modulo q where the 
message bits are the unknowns. Leakage through other factors of p — 1 is avoided 
by using a safe prime i.e. a prime p such that (p — l)/2 is prime as well. 

3 Some applications 

3.1 Processing encrypted data 

A major weakness of software encryption is that while being processed, data are 
in a vulnerable state. For being modified, information must be deciphered and 
re-encrypted again. Unfortunately, while in clear, secrets are exposed to a wide 
gamut of threats ranging from scanning by hostile TSR-programs to interception 
in residual electromagnetic radiation. 

The new cryptosystem seems interesting for processing encrypted data as it 
allows to modify (only) by multiplying (or dividing) c by Vk- If m* = 1, an 
additional multiplication by Vk is likely to have no effect on the cleartext" but 
if mk — 0, modular division (by Vk) will destroy the whole plaintext. 

3.2 Incremental encryption 

Similarly, the sender can pre-encrypt a chunk of m and complete c later. This 
feature can be used in group-encryption protocols where each participant adds 
an encrypted chunk to a common ciphertext without gaining knowledge about 
the chucks encrypted by his peers (again, each chunk should be sufficiently big 
to avoid exhaustive search and properly protected against modular division). 

When protection against active attacks is needed (that is, when the peers 
are malicious active adversaries), this feature can be inhibited by using a part 
of m as a (sufficiently big) CRC or by pre-encrypting m with a conventional 
block-cipher keyed with some public constant. 

3.3 Batch encryption 

Surprisingly, encrypting a pair of random message- blocks (here m[l] and m[2]) 
requires only 75% of the multiplications needed for two sequential encryptions 
(*•= 1 , 2 ) : 



c[j] = encrypt(m[i] 0 m[l] A m[‘2]) x encrypt(m[l] A m[2]) mod p 

Although this strategy can be generalised to more than two blocks by building 
an intersection tree, accurate evaluation indicates that bookkeeping quickly costs 
the gain. 

n 

the probability that pk < P is very dose to one if m is uniformly distributed. 

t=0 



2 




33 



4 Implementation 

In order to fit into a 68HC05-based ST16CF54 smart-card (4,096 EEPROM 
bytes, 16,384 ROM bytes and 352 RAM bytes), key storage was replaced by a 
command that re-computes the u-list upon request (re-computation and trans- 
mission take 310 ms per V{ but have to be done only once after reset). The p-list 
is compressed into a string of 48 bytes (in our implementation, n = 74) which 
fc-th bit equals one if and only if k is prime, p,- is extracted by scanning this string 
until i ones were read (p,- is then the value of the scan-counter). To speed-up 
decryption (215 ms plus 33 ms for DES pre-encryption), our 824-byte program 
uses a composite p (four 256-bit factors) and sub-contracts all base-conversion 
operations (r = 3) to the smart-card reader. Benchmarks were done with a 5 
MHz oscillator and ISO 7816-3 T=0 transmission at 115,200 bauds. 

As strange as it may appear, the PC encrypts RSA-compatible ciphertexts 
without using a public exponent. Publishing e = 1/s mod will make the 
computation of the r)-list public but result in a standard RSA with a particular 
message format. 

Although we see no immediate objection to restrict s to 160 bits, we recom- 
mend to avoid doing so before a reasonable scrutiny period (in particular, using 
a short s with a composite p seems related to [24, 23]) and enforce, in general, 
the following recommendations : 

• As for any block cipher, too short messages (< 64 bits) should not be 
encrypted, unless concatenated to an appropriate randomiser [6]. 

• As for RSA and DSA [9], correct implementation must hide the correlation 
between processing time and the weights of m and s. 

• To avoid oracle attacks [1], we recommend to reject all decrypted messages 
that, when re-encrypted by the receiver do not re-yield c. 

• Since the p-list is not necessary for encryption, we recommend to keep it 
secret in practice but assume its knowledge as a weakened target for the sake of 
academic research. 

Unlike RSA, our scheme is not patented; hardware and software implement- 
ing the cryptosystem can therefore be freely used and disseminated. 

5 Challenge 

It is a tradition in the cryptographic community to offer cash rewards for suc- 
cessful cryptanalysis. More than a simple motivation means, such rewards also 
express the designers’ confidence in their own schemes. As an incentive to the 
analysis of the new scheme, we therefore offer (as a souvenir from Eurocrypt’97) 
DM 1024 to whoever will decrypt : 

c = 9D581F9E996C5D0878DC92BF5D6A8D2177B8B853E6697007 
47D2C1411FAC6346045C76596193DE57A3996F0439BE7BD44780 
157CE4497E506DA6 1F09B73BAF3286272AC 1625A5D989749BD38 
46B634819BD26DF278CF6CD9157B891C629D3ECB49CB6E18DB7E 
4D9D4B70DA14738E16B4F7466B48A0FCF96E0A7CBEF7A7A0BDDAi6 




34 



p = EB17673466CF46F2F819B1FB5B15D330FCF1BB063E6C5DBB 
A2A675D1639F0AF897C6CF04B3DEE33EBA6795C4A2E7EEF7CD28 
5721B97F184159987F91DDC9C8270E5D36B2562F23B3881DD795 
FB53634679944F3F11027B1D90BB8D3767151069626420E64E02 
029BE0FA5ECEFC6987C72C10451CC033FFD77A78E8B8B2A60623i6 

where r = 4, n = 74 and the coding convention is space = 0, a = 1, 
b = 2, • • ■ , z = 26. The challenger should be the first to decrypt at least 50% of 
c (the v-list is available by email) and publish the cryptanalysis method which 
must be different than computing the discrete logarithm of one of the t),-s but 
the authors are ready to carefully evaluate ad valorem any feedback they get. 

6 Further research 

Since a first (informal) presentation of the scheme, several researchers began to 
investigate its different aspects and compare its features to RSA [5, 12, 2]. 

Elliptic curving the scheme is still an open problem (since elliptic curves 
are Abelian groups and not Euclidean domains, geds can not be computed). 
Provable security, strategies for reducing the size of the public-key or signing 
with the scheme are also important for increasing the practical usefulness of the 
new cryptosystem. 

A general knapsack taxonomy also seems in order. The idea of multiplicative 
knapsack is roughly 20 years old and was first proposed in the open literature 
by Merkle and Heilman [11] in their original paper. As, observed by Desmedt in 
his 1986 survey [7], encryption in the multiplicative Merkle-Hellman knapsack 
is actually additive. It is in fact the decryption which is multiplicative. The 
scheme presented here is in this respect thoroughly multiplicative. It should also 
be noted that Merkle-Hellman’s knapsack was (partially) cryptanalyzed in by 
Odlyzko [13] but all our attempts to extend this attack to the new scheme failed. 

As a final conclusion, although our scheme seems practical and simple, it can 
hardly compete with RSA on concrete commercial platforms as its public keys 
are typically eighty times bigger than RSA ones. Nevertheless, the new concept 
appears to be a promising starting-point for improvements and further research. 

7 Acknowledgements 

The authors thank Yvo Desmedt, Philippe Hoogvorst, David Kravitz and R,onald 
Rivest and Eurocrypt’s referees for helpful comments and discussions. 

References 

1. R. Anderson, Robustness principles for public-key protocols, LNCS, Advances in 
Cryptology, Proceedings of Crypto’95, Springer- Verlag, pp. 236-247, 1995. 

2. R. Anderson k S. Vaudenay, Minding your p’s and q’s, LNCS, Advances in Cryp- 
tology, Proceedings of Asiacrypt’96, Springer- Vehag, pp. 26-35, 1996. 




35 



3. P. Camion, An example of implementation in a Galois field and more on the 
Naccache-Stern public-key cryptosystem, manuscript, October 27-29, 1995. 

4. B. Chor fc R. Rivest, A knapsack-type public key cryptosystem based on arithmetic 
on finite fields, IEEE Trcmsactions on Information Theory, vol. IT 34, 1988, pp. 
901-909. 

5. T. Cusick, A comparison of RSA and the Naccache-Stern public-key cryptosystem, 
manuscript, October 31, 1995. 

6. D. Denning (Robling), Cryptography and data security, Addison-Wesley Publishing 
Company, p. 148, 1983. 

7. Y. Desmedt, What happened with knapsack cryptographic schemes. Performance 
limits in communication - theory cuid practice, NATO ASI series E : Applied 
sciences, vol. 142, Kluwer Academic Publishers, pp. 113-134, 1988. 

8. W. Diffie M. Heilman, New directions in cryptography, IEEE Transactions on 
Information Theory, vol. IT 22 n° 6, pp. 644-654, 1976. 

9. P. Kocher, Timing attacks in implementations of Diffie -Heilman, RSA, DSS and 
other systems, LNCS, Advances in Cryptology, Proceedings of Crypto’96, Springer- 
Verlag, pp. 104-113, 1996. 

10. H. Lenstra, On the Chor-Rivest knapsack cryptosystem, Journal of Cryptology, vol. 
3, pp. 149-155, 1991. 

11. R. Merkle & M. Heilman, Hiding information and signatures in trapdoor knap- 
sacks, IEEE Transactions on Information Theory, vol. IT 24 n° 5, pp. 525-530, 
1978. 

12. M. Naor, A proposal for a new public-key by Naccache and Stern, presented at the 
Weizmann Institute Theory of Computation Seminar, November 19, 1995. 

13. A. Odlyzko, Cryptanalytic attacks on the multiplicative knapsack cryptosystem and 
on Shamir’s fast signature scheme, IEEE Transactions on Information Theory, vol. 
IT 30, pp. 594-601, 1984. 

14. H. Petersen, On the cardinality of bounded subset products , Technical report TR- 
95-16-E, University of Technology Chemnitz-Zwickau, 1995. 

15. S. Pohhg & M. Heilman, An improved algorithm for computing logarithms over 
GF(q) and its cryptographic significance, IEEE Transactions on Information The- 
ory, vol. 24, pp. 106-110, 1978. 

16. D. Pointcheval, A new identification scheme based on the perceptrons problem, 
LNCS, Advances in Cryptology, Proceedings of Eurocrypt ’94, Springer- Verlag, pp. 
318-328, 1995. 

17. R. Rivest, A. Shamir L. Adleman, A method for obtaining digital signatures and 
public-key cryptosystems, CACM, vol. 21, n“. 2, pp. 120-126, 1978. 

18. A. Salomaa, Public-key cryptography, EATGS Monographs on theoretical computer 
science, vol. 23, Springer-Verlag, page 66, 1990. 

19. A. Shamir, An efficient identification scheme based on permuted kernels, LNCS, 
Advcinces in Cryptology, Proceedings of Crypto’89, Springer-Verlag, pp. 606-609. 

20. G. Simmons, Contemporary cryptology : The science of information integrity, IEEE 
Press, pp. 257-258, 1992. 

21. J. Stern, A new identification scheme based on syndrome decoding, LNCS, Ad- 
vances in Cryptology, Proceedings of Crypto’93, Springer-Verlag, pp. 13-21, 1994. 




36 



22. J. Stern, Designing identification schemes with keys of short size, LNCS, Advances 
in Cryptology, Proceedings of Crypto’94, Springer-Verlag, pp. 164-173, 1994. 

23. P. van Oorschot &: M. Wiener, On Diffie-Hellman key agreement with short ex- 
ponents, LNCS, Advcinces in Cryptology, Proceedings of Eurocrypt’96, Springer- 
Verlag, pp. 332-343, 1996. 

24. M. Wiener, Cryptanalysis of short RSA secret exponents, IEEE Transactions on 
Information Theory, vol. 36, n“. 3, pp. 553-558, 1990. 




On the Importance of Checking Cryptographic 
Protocols for Faults 

(Extended abstract) 



Dan Boneh 
dabo® bellcore.com 



Richard A. DeMillo 
rad@bellcore.com 



Richard J. Lipton* 
lipton@bellcore.com 



Math and Cryptography Research Group, Bellcore, 
445 South Street, Morristown NJ 07960 



Abstract. We present a theoretical model for breaking various cryp- 
tographic schemes by taking advantage of random hardware faults. We 
show how to attack certain implementations of RSA and Rabin signa- 
tures. We also show how various authentication protocols, such as Fiat- 
Shamir and Schnorr, can be broken using hardware faults. 



1 Introduction 

Direct attacks on the famous RSA cryptosystem seem to require that one factor 
the modulus. Therefore, it is interesting to ask whether there are attacks that 
avoid this. The answer is yes: the first was the recent attack based on timing [4], 
It was observed that a few bits could be obtained from the time that operations 
took. This would allow one to break the system without factoring. 

We have a new type of attack that also avoids directly factoring the modulus. 
We essentially use the fact that from time to time the hardware performing the 
computations may introduce errors. There are several models that may enable 
a malicious adversary to collect and possibly cause faults. We give a high level 
description: 

Transient faults Consider a certification authority (CA) that is constantly 
generating certificates and sending them out to clients. Due to random tran- 
sient hardware faults the CA might generate faulty certificates on rare oc- 
casions. If a faulty certificate is ever sent to a client, we show that in some 
cases that client can break the CA’s system and generate fake certificates. 
Note that on many systems, a client is alerted when a faulty certificate is 
received. 

Latent faults Latent faults are hardware or software bugs that are difficult to 
catch. As an example, consider the Intel floating point division bug. Such 
bugs may also cause a CA to generate faulty certificates from time to time. 
Induced faults When an adversary has physical access to a device she may try 
to purposely induce hardware faults. For instance, one may attempt to attack 

* Also at Princeton University. Supported in part by NSF CCR-9304718. 



W. Fumy (Ed.): Advances in Cryptology - EUROCRYPT ’97, LNCS 1233, pp. 37-51, 1997. 
© Springer- Verlag Berlin Heidelberg 1997 




38 



a tamper-resistant device by deliberately causing it to malfunction. We show 
that the erroneous values computed by the device enable the adversary to 
extract the secret stored on it. 



We consider a fault model in which faults are transient. That is, the hard- 
ware fault only affects the current data, but not subsequent data. For instance, 
a bit stored in a register might spontaneously flip. Or a certain gate may spon- 
taneously produce an incorrect value. Note that the change is totally silent: the 
hardware and the system have no clue that the change has taken place. We as- 
sume that the probability of such faults is small so that only a small number of 
them occur during the computation. 

Our attack is effective against several cryptographic schemes such as the 
RSA system and Rabin signatures [10]. The attack also applies to several au- 
thentication schemes such as Fiat-Shamir [5] and Schnorr [11]. As expected, the 
attack itself depends on the exact implementation of each of these schemes. For 
an implementation of RSA based on the Chinese remainder theorem we show 
that given one faulty version of an RSA signature one can efficiently factor the 
RSA modulus with high probability. The same approach can also be used to 
break Rabin’s signature scheme. In Section 6 we show that hardware faults can 
be used to break other implementations of the RSA system though many more 
faulty values are required. 

In Section 4 we show that the Fiat-Shamir identification scheme [5] is vul- 
nerable to our hardware faults attack. Given a few faulty values an adversary 
can completely recover the private key of the party trying to authenticate itself. 
In Section 5 we obtain the same result for Schnorr’s identification protocol [11]. 
Both schemes are suitable for use on smart cards. 

It is important to emphasize that the attack described in this paper is cur- 
rently theoretical. We are not aware of any published results physically experi- 
menting with this type of attack. The purpose of these results is to demonstrate 
the danger that hardware faults pose to various cryptographic protocols. The 
conclusion one may draw from these results is the importance of verifying the 
correctness of a computation for security reasons. For instance, a smart card 
using RSA to generate signatures should check that the correct signature has in- 
deed been produced. The same applies to a certification authority using RSA to 
generate certificates. In protocols where the device has to keep some state (such 
as in identification protocols) our results show the importance of protecting the 
registers storing the state information by adding error detection bits (e.g. CRC). 
We discuss these points in more detail at the end of the paper. 

We note that FIPS [6] publication 140-1 suggests that hardware faults may 
compromise the security of a module. Our results explicitly demonstrate the 
extent of the damage caused by such faults. 




39 



2 Chinese remainder based implementations 

2.1 The RSA system 

In this section we consider a system using RSA to generate signatures in a naive 
way. Let iV = pg be a product of two large prime integers. To sign a message x 
using RSA the system computes mod N where s is a secret exponent. Here 
the message x is assumed to be an integer in the range 1 to (usually one first 
hashes the message to an integer in that range). The security of the system relies 
on the fact that factoring the modulus N is hard. In fact, if the factors of N 
are known then one can easily break the system, i.e., sign arbitrary documents 
without prior knowledge of the secret exponent. 

The computationally expensive part of signing using RSA is the modular 
exponentiation of the input x. For efficiency some implementations exponentiate 
as follows: using repeated squaring they first compute Ei = x’ modp and E2 = 
x’ mod g. They then use the Chinese remainder theorem (CRT) to compute the 
signature E = x^ mod N. We explain this last step in more detail. Let a,b be 
two precomputed integers satisfying: 

f a = 1 (mod p) j J 6 = 0 (mod p) 

\ a = 0 (mod g) ^6=1 (mod g) 

Such integers always exist and can be easily found given p and g. It now follows 
that 

E = aEi + bE^ (mod N) 

Thus, the signature E is computed by forming a linear combination of E\ and 
E^- This exponentiation algorithm is more efficient than using repeated squaring 
modulo N since the numbers involved are smaller. 

2.2 RSA’s vulnerability to hardware faults 

Our simple attack on RSA signatures using the above implementation enables 
us to factor the modulus N . Once the modulus is factored the system is consid- 
ered to be broken. Our attack is based on obtaining two signatures of the same 
message. One signature is the correct one; the other is a faulty signature. At 
the end of the section we describe an improvement due to Arjen Lenstra [9] that 
factors the modulus using just a single faulty signature of a known message M. 

Let M be a message and let E = M’ mod N be the correct signature of the 
message. Let be a faulty signature. Recall that E and E are computed as 

E = aE\ -t- bE^ (mod N) and E = aE\ + bE^ (mod N) 

Suppose that by some miraculous event a hardware fault occurs only during 
the computation of one of E\,E2- Without loss of generality, suppose a hard- 
ware fault occurs during the computation of E\ but no fault occurs during the 
computation of E2, i.e. E2 — E2- Observe that 

E — E — (^clEi -|- 6F/2) — (^aE\ -1- bE^ a(^E\ — E\^ 




40 



Now, if El — El is not divisible by p then 

gcd(£' - E,N) = gcd{a(Ei - Ei),N) - q 

and so N can be easily factored. Notice that if the factors of N are originally 
chosen at random then it is extremely unlikely that p divides Ei — Ei. After all, 
El — El can have at most log N factors. 

To summarize, using one faulty signature and one correct one the modulus 
used in the RSA system can be efficiently factored. We note that the above 
attack works under a very general fault model. It makes no difference what type 
of fault or how many faults occur in the computation of Ei . All we rely on is 
the fact that faults occur in the computation modulo only one of the primes. 

Arjen Lenstra [9] observed that, in fact, one faulty signature of a known mes- 
sage M is sufficient. Let E = M‘ mod N. Let .B be a faulty signature obtained 
under the same fault as above, that is E = E mod q but E ^ E mod p. It now 
follows that 

gcd(M-B",A) = q 

where e is the public exponent used to verify the signature, i.e. B® = M mod 
N. Thus, using the fact that the message M is known it became possible to 
factor the modulus given only one faulty signature. This is of interest since most 
implementations of RSA signatures avoid signing the same message twice using 
some padding technique. Lenstra’s improvement shows that as long as the entire 
signed message is known, even such RSA/CRT systems are vulnerable to the 
hardware faults attack. 

The attack on Chinese remainder theorem implementations applies to other 
cryptosystems as well. For instance, the same attack applies to Rabin’s signature 
scheme [10]. A Rabin signature of a number x mod N is the modular square root 
of X. The extraction of square roots modulo a composite makes use of CRT and 
is therefore vulnerable to the attack described above. 



3 Register faults 

From here on our attacks are based on a specific fault model which we call register 
faults. Consider a tamper-resistant device. We view the device as composed of 
some circuitry and a small amount of memory. The circuitry is responsible for 
performing the arithmetic operations. The memory (registers plus a small on 
chip RAM) is used to store temporary values. 

Our fault model assumes that the circuitry contains no faults. On the other 
hand, a value stored in a register may be corrupted. With low probability, one 
(or a few) of the bits of the value stored in some register may flip. We will 
need this event to occur with sufficiently low probability so that there is some 
likelihood of the fault occurring exactly once throughout the computation. As 
before, all errors are transient and the hardware has no clue that the change has 
taken place. 




41 



4 The Fiat-Shamir identification scheme 



The Fiat-Shamir [5] identification scheme is an efficient method enabling one 
party, Alice, to authenticate it’s identity to another party, Bob. They first agree 
on an n-bit modulus N which is a product of two large primes and a security 
parameter t. Alice’s secret key is a set of invertible elements «i, . . . , Sj mod N. 
Her public key is the square of these numbers = s^, . . . , Ut = (mod N). 
To authenticate herself to Bob they engage in the following protocol: 

1. Alice picks a random r 6 and sends mod N to Bob. 

2. Bob picks a random subset 5 C and sends the subset to Alice. 

3. Alice computes y = r ■ Higs **' ^ and sends y to Bob. 

4. Bob verifies Alice’s identity by checking that j/^ = • Hies (™od N) . 

For the purpose of authentication one may implement Alice’s role in a tamper 
resistant device. The device contains the secret information and is used by Alice 
to authenticate herself to various parties. We show that using register faults one 
can extract the secret si, . . . ,St from the device. We use register faults that occur 
while the device is waiting for a challenge from the outside world. 

Theorem 1. Lei N be an n-bii modulus and t the predetermined security pa- 
rameter of the Fiat-Shamir protocol. Given t faulty runs of the protocol one can 
recover the secret si, . . ,,St in the time H takes to perform 0(nt -f modular 
multiplications. 

Proof. Suppose that due to a miraculous fault, one of the bits of the register 
holding the value r is flipped while the device is waiting for Bob to send it 
the set S. In this case, Bob receives the correct value r^ modN, however y is 
computed incorrectly by the device. Due to the fault, the device outputs: 

y = (r + £)•]][ s< 

• €S 

where E is the value added to the register as a result of the fault. Since the fault 
is a single bit flip we know that E = ±2‘ for some i = 0,...,n — 1. Observe that 
Bob knows the value Hies therefore compute 

(r -t- Ef = fp— - (mod N) 

Hies 

Since there are only n possible values for E Bob can guess its value. When E is 
guessed correctly Bob can recover r since 

{r + E)^ -r^ = 2E -r+ E^ (mod TV) 

and this linear equation in r can be easily solved. Bob’s ability to discover the 
secret random value r is the main observation which enables him to break the 
system. Using the value of r and E Bob can compute: 



n®>= 



y 

r-\-E 



(mod TV) 




42 



To summarize, Bob can compute the value Jl«es *»' guessing the fault value 
E and using the formula: 






2Ey 




-r'^ + E'^ 



(mod N) 



We now argue that Bob can verify that the fault value E was guessed cor- 
rectly. Let T be the hypothesized value of Hies *»' obtained from the above for- 
mula. To test if T is correct Bob can verify that the relation = n»65 ^ 

holds. Usually only one of the possible values for E will satisfy the relation. In 
such a case Bob correctly obtains the value of ritgs 

Even in the unlikely event that two values E, E' satisfy the relation, Bob 
can still break the system. If there are two possible values E, E' generating two 
values T,T' ,T ^ T' satisfying the relation then clearly = (T')^ mod N . If 
T ^ — T' mod iV then Bob can already factor N. Suppose T = —T' mod TV. 
Then since one of T or T' must equal Higs correct fault 

value) it follows that Bob now knows Hies ^ sign. For our purposes 

this is good enough. 

The testing method above enables Bob to check whether a certain value of 
E is the correct one. By testing all n possible values of E until the correct one is 
found Bob can compute Higs *»'• Consequently, to correctly determine the value 
of Higs S requires 0{n + t) modular multiplications. For t sets we 

need 0{nt + 1^) modular multiplications. 

Observe that once Bob has a method for computing Higs various sets 
S of his choice, he can easily find si, . . .,sj. The simplest approach is for Bob 
to construct nig5®» singleton sets, i.e. sets S containing a single element. 
If 5 = {A;} then fltgs hence the Sj’s are immediately found. How- 

ever, it is possible that the device might refuse to accept singleton sets 5. In 
this case Bob can still find the s, ’s as follows. We represent a set 5 C {1, . . . , t} 
by its characteristic vector U € {0, 1}S i.e. f/, = 1 if i £ 5 and Ui — 0 other- 
wise. Bob picks sets Si,. . ,,St such that the corresponding set of characteristic 
vectors Ui, . . . ,Ut form a, t x t full rank matrix over 22- Bob then uses the 
method described above to construct the values Tj = FligSi of the 

sets Si , .... St . To determine si Bob constructs elements oi , . . . , at £ {0, 1} such 
that 

aiUx -b . . . + atUt = (1, 0, 0, . . . , 0) (mod 2) 

These elements can be efficiently constructed since the vectors U\,. . .,Ut are 
linearly independent over Z2- When all computations are done over the integers 
we obtain that 



aiUi -b . . . -|- Utf/t — (2&1 -b 1, 262, 263 , . . . , 2bf) 
for some known integers bi, . . .,bt. Bob can now compute si using the formula 

. . . 'T'^* 

= "V — 




43 



Recall that the values Vi — sj (mod N) are publicly available. The values 
S 2 , ■■■, St can be constructed using the same procedure. This phase of the algo- 
rithm requires 0{t^) modular multiplications. 

To summarize, the entire algorithm above made use of t faults and made 
0{nt+t^) modular multiplications. □ 

We emphasize that the faults occur while the device is waiting for a challenge 
from the outside world. Consequently, the adversary knows at exactly what time 
the register faults must be induced. 

We described the algorithm above for the case where a register fault causes 
a single bit flip. More generally, the algorithm can be made to handle a small 
number of bit flips per register fault. However, finding the correct fault value E 
becomes harder. If a single register fault causes c bits in the register to flip then 
the running time of the algorithm becomes O(n’^t) modular multiplications. 

4.1 A modification of the Fiat-Shamir scheme 

One may suspect that our attack on the Fiat-Shamir scheme is successful due 
to the fact that the scheme is based on squaring. Recall that Bob was able to 
compute the random value r chosen by the device since he was given and 
(r -f E)"^ where E is the fault value. One may try to modify the scheme and use 
higher powers. We show that our techniques can be used to break this modified 
scheme as well. 

The modified scheme uses some publicly known exponent e instead of squar- 
ing. As before, Alice’s secret key is a set of invertible elements , . . . , si mod N. 
Her public key the set of numbers = s* , . . . , = s® mod N . To authenticate 

herself to Bob they engage in the following protocol: 

1. Alice picks a random r and sends r® mod N to Bob. 

2. Bob picks a random subset 5 C {1, . . .,t} and sends the subset to Alice. 

3. Alice computes y = r ■ Higs A and sends y to Bob. 

4. Bob verifies Alice’s identity by checking that y’^ = r° ■ n,g 5 (mod N) . 

When e = 2 this protocol reduces to the original Fiat-Shamir protocol. Using 
the methods described in the previous section Bob can obtain the values L\ = 
r® mod N and L 2 = {r+Ey mod N. As before we may assume that Bob guessed 
the value of E correctly. Given these two values Bob can recover r by observing 
that r is a common root of the two polynomials 

— Li (mod N) and (a; -f Ey = L 2 (mod TV) 

Furthermore, r is very likely to be the only common root of the two polyno- 
mials. Consequently, when the exponent e is polynomial in n Bob can recover 
r by computing the GCD of the two polynomials. Once Bob has a method for 
computing r he can recover the secrets Si , . . . , as discussed in the previous 
section. 




44 



5 Attacking Schnorr’s identification scheme 

The security of Schnorr’s identification scheme [11] is based on the hardness of 
computing discrete log modulo a prime. Alice and Bob first agree on a prime 
p and a generator g of Z*. Alice chooses a secret integer s and publishes y = 
g‘ mod p as her public key. To authenticate herself to Bob, Alice engages in the 
following protocol: 

1. Alice picks a random integer r G [0,p) and sends z = g’’ modp to Bob. 

2. Bob picks a random integer t G [0,T] and sends t to Alice. Here T < p is 

some upper bound chosen ahead of time. 

3. Alice sends u = r + t ■ s mod p — 1 to Bob. 

4. Bob verifies that g'‘ — z ■ y* mod p. 

For the purpose of authentication one may implement Alice’s role in a tamper 
resistant device. The device contains the secret information s and is used by Alice 
to authenticate herself to various parties. We show that using register faults one 
can extract the secret s from the device. In this section log x denotes logarithm 
of X to the base e. 

Theorem 2. Let p be an n-bit prime. Given nlog4n faulty runs of the protocol 
one can recover the secret s with probability at least | in the time it takes to 
perform O(n^logn) modular multiplications. 

Proof. Bob wishing to extract the secret information stored in the device first 
picks a random challenge t G ^p-i- The same challenge will be used in all 
invocations of the protocol. Since the device cannot possibly store all challenges 
given to it thus far, it cannot possibly know that Bob is always providing the 
same challenge t. The attack enables Bob to determine the value t ■ s mod p — 1 
from which the secret value s can be easily found. For simplicity we set x — 
ts mod p — 1 and assume that g^ mod p is known to Bob. 

Suppose that due to a miraculous fault, one of the bits of the register holding 
the value r is flipped while the device is waiting for Bob to send it the challenge 
t. More precisely, when the third pheise of the protocol is executed the device 
finds f — r ±2* in the register holding r. Consequently, the device will output 
u = r + X mod p — 1. Suppose r = r + 2'. Bob can determine the value of i (the 
fault position) by trying all possible values * = 0, . . . , n — 1 until an * satisfying 

</“ = (mod p) 

is found. Assuming a single bit flip, there is exactly one such i. The above identity 
proves to Bob that f = r + 2‘ showing that the i’th bit of r flipped from a 0 
to a 1. Consequently, Bob now knows that indeed that i’th bit of r must be 0. 
Similar logic can be used to handle the ceise where r = ) — 2^ In this case Bob 
can deduce that the i’th bit of r is 1. 

More abstractly. Bob is given x + . . . , x + mod p — 1 for random 

values (recall k = nlog4n). Furthermore, Bob knows the value of 




45 



some bit of each of , A'‘\ Obtaining this information requires 0{n^ log n) 

modular multiplications since for each of the k faults one must test all n possible 
values of i. Each test requires a constant number of modular multiplications. 

We claim that using this information Bob can recover x in time O(n^). We 
assume the k faults occur at uniformly and independently chosen locations in 
the register r. The probability that at least one fault occurs in every bit position 
of the register r is at least 1 — n (l — i)* > 1 — n • e“ ’“S'*” In other words, 
with probability at least for every 0 < i < n there exists an among 
. . . , such that the t’th bit of is known to Bob (we regard the first 
bit as the LSB). 

To recover x Bob first guesses the logSn most significant bits of x. Later we 
show that Bob can verify whether his guess is correct. Bob tries all possible log 8n 
bit strings until the correct one is found. Let X be the integer that matches x on 
the most significant log 8n bits and is zero on all other bits. For now we assume 
that Bob correctly guessed the value of X. Bob recovers the rest of x starting 
with the LSB. Inductively suppose Bob already knows bits a;j_i ...xiXq of x 
(Initially i = 0). Let Y = 2^ Xj. To determine bit Xi Bob uses of which 

he knows the Fth bit and the value of x + r^'h Let b be the i’th bit of r^‘^. Then 



ajj = 6 0 j’th bit(a; + rl’l — Y — X mod p — 1) 

assuming no wrap around, i.e., 0 < a: + — y-A'<p-l.By construction 

we know that 0<x — y < p/Sn. Hence, wrap around will occur only if 
r(‘) > (1 — ^)p. Since the r’s are independently and uniformly chosen in the 
range [0,p) the probability that this doesn’t happen in all n iterations of the 
algorithm is (1 — gL)" > 

To summarize, we see that for the algorithm to run correctly two events 
must simultaneously occur. First, all bits of r must be “covered” by faults. 
Second, all the r,- must be less than (1 — ^)p- Since each event occurs with 
probability at least |, both events happen simultaneously with probability at 
least |. Consequently, with probability at least once X is guessed correctly 
the algorithm runs in linear time and outputs the correct value of x. Of course, 
once a candidate x is found it can be easily verified using the public data. There 
are 0(n) possible values for X and hence the running time of this step is O(n^), 
Since the first part of the algorithm requires 0(n^ logn) modular multiplications 
it dominates in the overall running time. □ 



We note that the attack also works when a register fault induces multiple 
bit flips in the register r (i.e. r = r + 2'»), As long as the number of bit 

flips c is constant, their exact location can be found in polynomial time. We also 
note that the faults we use occur while the device is waiting for a challenge from 
the outside world. Consequently, the adversary knows at exactly what time the 
faults should be induced. 




46 



6 Breaking other implementations of RSA 

In Section 2.1 we observed that CRT based implementations of RSA can be 
easily broken in the presence of hardware faults. In this section we show that 
using register faults it is possible to break other implementations of RSA as well. 
Let N be an n-bit RSA composite and s a secret exponent. The exponentiation 
function x — >■ x‘ mod N can be computed using either one of the following two 
algorithms (we let s = s„_is„_ 2 . . .siso be the binary representation of s): 

— Algorithm I 

init 1 / <— X ; z *— 1. 

main For l; = 0,...,u— 1. 

If Sjt = 1 then z z ■ y (mod N). 
y ^ (mod N). 

Output 2 . 

— Algorithm II 

init z 1. 

main For 1: = n — 1 down to 0. 

If Si = 1 then z <— • X (mod N). 

Otherwise, z *— (mod N). 

Output z, 

For both algorithms given several faulty values one can recover the secret 
exponent in polynomial time. Here by faulty values we mean values obtained 
in the presence of register faults. The attack only uses erroneous signatures of 
randomly chosen messages; the attacker need not obtain the correct signature 
of any of the messages. Furthermore, an attacker need not obtain multiple sig- 
natures of the same message. The following result was the starting point of our 
research on fault based cryptanalysis: 

Theorems, Let N be an n-bii RSA modulus. For any I < m < n, given 
[n j m)log2n faults, the secret exponent s can be extracted from a device imple- 
menting the first exponentiation algorithm with probability at least | in the time 
it takes to perform 0((2"‘n^ log^ n)/m^) RSA encryptions. 

Proof. We use the following type of faults: let M G Zjv be a message to be signed. 
Suppose that at a single random point during the computation of M‘ mod N a 
register fault occurs. More precisely, at a random point in the computation one of 
the bits of the register z is flipped. We denote the resulting erroneous signature 
by E. We intend to show that an ensemble of such erroneous signatures enables 
one to recover the secret exponent s. Even if other types of faulty signatures are 
added to the ensemble, they do not confuse our algorithm. 

Let I = {n/m)log2n and let Mi, . . . , G 2^^ be a set of random messages. 
Set Ei — Mf mod N to be the correct signature of M,-. Let Ei be an erroneous 
signature of Mj. We are given Ei but do not know the value of Ei. A register 
fault occurs at exactly one point during the computation of E,. Let ki be the 




47 



value of k (recall k is the counter in algorithm I) at the point at which the 
fault occurs. Thus, for each faulty signature, E,, there is a corresponding 
indicating the time at which the fault occurs. We may sort the messages so that 

0 ^ ^1 ^ ^2 < ■ ■ • < The time at which the faults occur is chosen 

uniformly (among the n iterations) and independently at random. It follows 
that given I such faults, with probability at least half, ki+i — ki < m for all 

1 = 1, ...,/- 1. To see this observe that the probability that no fault occurs in 

a specific interval of width m is < l/2n. Since there are at most n such 

intervals the probability that all of them contain a fault is at least 1 — « • ^ = I • 
Note that since we do not know where the faults occur, the values ki are unknown 
to us. 

Let s = s„_i . . .SiSo be the bits of the secret exponent s. We recover a block 
of these bits at a time starting with the MSBs. Suppose we already know bits 
Sn-i ... Si, for some i. Initially i = I + 1 indicating that no bits are known. We 
show how to recover bits Si,_iSi,_ 2 . ■ We intend to try all possible bit 

vectors until the correct one is found. Since even the length of the block we are 
looking for is unknown, we have to try all possible lengths. The algorithm works 
eis follows: 

1. For all lengths r = 1, 2, 3 ... do: 

2. For all candidate r-bit vectors do: 

3. Set w = In other words, w matches the bits of 

s and u at all known bit positions and is zero everywhere else. 

4. Test if the current candidate bit vector is correct by checking if one of the 
erroneous signatures Ej , j = 1,. . .,l satisfies 

36 € {0, . . . , n} s.t. (^Ej ± 2*M/')" = Mj (mod N) 

Recall that e is the public signature verification exponent. The ± means that 
the condition is satisfied if it holds with either a plus or minus. 

5. If a signature satisfying the above condition is found output Ujb,-iUjt ,_2 • • • 

and stop . At this point we know that Iii-i = ki — r a.nd • • -Sifei-i - 

Uki-lUki-2 ■ ■ -Uki-r- 

We show that the condition at step (4) is satisfied by the correct candidate 
Ui,-iUjb ,-2 • ■ To see this recall that Ei^i is obtained from a fault at the 

A:,_i’st iteration. That is, at the I:,_i’st iteration the value of z was changed to 
z <— z ± 2*” for some 6. Notice that at this point Ei-\ — From that point 

on no fault occurred and therefore the signature Ei-\ satisfies 

Ei-r = = Ei-x ± 2‘M^i (mod N) 

When in step (4) the signature Ei-i is corrected it properly verifies when raised 
to the public exponent e. Consequently, when the correct candidate is tested, 
the faulty signature .B,_i guarantees that it is accepted. 

To bound the running time of the algorithm we bound the number of times 
the condition of step (4) is executed. One must try all possible candidate bit 




48 



vectors u against all possible error locations b and erroneous signatures Ej. 
Consequently, the number of times the condition is tested is at most 



nl- 



n — ki ki^-ki-i 


ki—ki ki 




m 


E 2^ + ' 

r=l r = l 


r=l r=l 


< nl 


i.^r 

. r = l 






Hence, the algorithm runs in the time it takes to perform 0((2’”n^ log^ n)/m^) 
RSA encryptions. 

We still need to show that a wrong candidate will not pass the test of step 
(4) with high probability. Suppose some signature incorrectly causes the 
wrong candidate u' to be accepted at some point in the algorithm. That is, 
E„ ±2*'M“ = jE'v mod N even though E„ was generated by a different fault (here 
w is defined as in step (3) using the bits of u'). We know that Ev = 
for some 6i, wi with wi ^ w. Therefore, 



E^ ± ± ^ E„ (mod N) 



In other words, M(, is a root of a polynomial of the form + 02 x'^ = 0 mod N 
for some oi, U 2 , w. To bound the number of roots write <p(N) = gf' and 
gcd(tDi - w, = Hi=i ' where the gj are distinct primes. The number of 

roots is upper bounded by a nLi<zr (th is is the maximum number of roots 
of a polynomial of the form = as mod N). Observe that a is a function 

of w and u;i. Since the message M„ is chosen independently of the fault location 
(i.e. independently of 6i, wi) it follows that M« is a root with probability at most 
a/N. Consequently, the probability that a specific E^ causes a specific wrong 
candidate u' to be accepted is bounded by a/N. 

Define d to be the maximum value of a over all possible values of w,wi (note 
that there are / possible values for ivi and 0(2’”/) possible values for u)). Let B be 
the number of times the equality test at step (4) is invoked, i.e. B = 0(nl^2"‘). 
Then the probability that throughout the algorithm a wrong candidate is ever 
accepted is bounded by Ba/N . We argue that with high probability (over the 
fault locations) q < N/nB. This will prove that a wrong candidate is never 
accepted with probability at least 1 — ^ (over the random messages M„). This 
will complete the proof of the theorem. 

Suppose that over the random choice of the secret exponent s, and the ran- 
dom choice of the fault location ki we have that Pr[d > N/nB] > 1/n*’ for some 
fixed c > 1. We show that in this case there is an efficient algorithm for factoring 
N. This will prove that we may indeed assume that a < N/nB with probability 
bigger than 1 - ^ for all c > 1 (since otherwise N can already be factored). 

The factoring algorithm works as follows. It picks a random exponent s and 
random messages Mi , . . . , M( G Z jv • It then computes erroneous signatures Ei 
of the Mi by using the first exponentiation algorithm to compute M’ mod N 
and deliberately simulating a random register fault at a random iteration. By 
assumption, with probability at least l/n' we have a > N/nB. Here the values 
w,wi,a and a are defined as above using the simulated faults. Since d > N/nB 




49 



there exist some for which a > N/nB. By definition of a it follows that 
ip{N) divides t(wi — u))" for some integer 0 < t < nB. To see this observe that a 
divides (ii;i — u;)” and a = (p{N)/t for some 0 < t < nB. These values w,wi,t can 
be found using exhaustive search since there are only 0{l ■ ■ nB) = 

possibilities. Once a multiple of ip{N) is constructed, namely t(mi — w)" , the 
modulus N can be efficiently factored. By repeating this process n' times we 
factor N with constant probability. The total running time of the algorithm is 
polynomial in n and 2"* . 

□ 

If one allows the algorithm to obtain both the erroneous and correct signature 
of each message M; then the running time of the algorithm can be improved. 
The test at step (4) can be simplified to 

36 e {0, .... n} s.t. Ej ± 2^Mf = Ej (mod N) 
thus saving the need for an RSA encryption on every invocation of the test. 



7 Defending against an attack based on hardware faults 

One can envision several methods of protection against the type of attack dis- 
cussed in the paper. The simplest method is for the device to check the output 
of the computation before releasing it. Though this extra verification step may 
reduce system performance, our attack suggests that it is crucial for security 
reasons. In some systems verifying a computation can be done efficiently (e.g. 
verifying an RSA signature when the public exponent is 3). In other systems 
verification appears to be costly (e.g. DSS). 

Our attack on authentication protocols such as the Fiat-Shamir scheme uses 
a register fault which occurs while the device is waiting for a response from 
the outside world. One can not protect against this type of a fault by simply 
verifying the computation. As far as the device is concerned, it computed the 
correct output given the input stored in its memory. Therefore, to protect multi- 
round authentication schemes one must ensure that the internal state of the 
device can not be affected. Consequently, our attack suggests that for security 
reasons devices must protect internal memory by adding some error detection 
bits (e.g. CRC). 

Another way to prevent our attack on RSA signatures is the use of random 
padding. See for instance the system suggested by Bellare and Rogaway [1]. In 
such schemes the signer appends random bits to the message to be signed. To 
verify the RSA signature the verifier raises the signature to the power of the 
public exponent and verifies that the message is indeed a part of the resulting 
value. The random padding ensures that the signer never signs the same message 
twice. Furthermore, given an erroneous signature the verifier does not know the 
full plain-text which was signed. Consequently, our attack cannot be applied to 
such a system. 




50 



8 Summary and open problems 

We described a general attack which makes use of hardware faults. The attack 
applies to several cryptosystems. We showed that encryption schemes using Chi- 
nese remainder, e.g. RSA and Rabin signatures, are especially vulnerable to this 
kind of attack. Other implementations of RSA are also vulnerable though many 
more faults are necessary. The idea of using hardware faults to attack crypto- 
graphic protocols applies to authentication schemes as well. For instance, we ex- 
plained how the Fiat-Shamir and Schnorr identification protocols may be broken 
using hardware faults. The same applies to the Guillou-Quisquater identification 
scheme [8] though we do not give the details here. Recently several symmetric 
ciphers such as DES have also been analyzed for their ability to withstand a 
faults based attack [2]. 

Verifying the computation and protecting internal storage using error de- 
tection bits defeats attacks based on hardware faults. We hope that this paper 
demonstrates that these measures are necessary for security reasons. Methods of 
program checking [3] may come in useful when verifying computations in crypto- 
graphic protocols. Specifically, a recent result of Frankel, Gemmel and Yung [7] 
could prove useful in this context. 

An obvious open problem is whether the attacks described in this paper can 
be improved. That is, can one mount a successful attack using fewer faults? To 
make the problem crisp we pose the following concrete question; can a general 
implementation of RSA be broken using significantly fewer faults than n, say \/n? 
(here n is the size of the modulus). Such a result would significantly improve 
our Theorem 3. Ideally we would like to break a general implementation of RSA 
using only a constant number of erroneous encryptions. 



Acknowledgements 

We are grateful to Arjen Lenstra for his many helpful comments. We also thank 
R. Venkatesan for his help in working out some preliminary details of Differential 
Fault Analysis of DES in parallel to Biham and Shamir. 

References 

1. M. Bellare, P. Rogaway, “The exact security of digital signatures - How to sign 
with RSA and Rabin”, in Proc. Eurocrypt 96, pp. 399-416. 

2. E. Biham, A. Shamir, “A New Cryptanalytic Attack on DES: Differential Fault 
Analysis”, Manuscript. 

3. M. Blum, H. Wasserman, “Program result checking”, proc. FOCS 94, pp. 382- 
392. 

4. P. Kocher, “Timing attacks on implementations of Diffie-Hellman, RSA, DSS, 
and other systems”, Proc. of Cyrpto 96, pp. 104-113. 

5. U. Feige, A. Fiat, A. Shamir, “Zero knowledge proofs of identity”, Proc. of 

STOC 87. 




51 



6. Federal Information Processing Standards, “Security requirements for cryp- 
tographic modules”, FIPS publication 140-1, 

http : //www.nist . gov/itl/csl/f ips/i ipl40-l . txt. 

7. Y. Frankel, P. GemmeU, M. Yung, “Witness based cryptographic program 
checking and robust function sharing”, proc. STOC 96, pp. 499-508. 

8. L. GuUlou, J. Quisquater, “A practical zero knowledge protocol fitted to se- 
curity microprocessor minimizing both transmission and memory”, in Proc. 
Eurocrypt 88, pp. 123-128 

9. A.K. Lenstra, Memo on RSA signature generation in the presence of faults, 
manuscript. Sept. 28, 1996. Available from the author. 

10. M. Rabin, “Digital signatures and public key functions as intractable 
as factorization”, MIT Laboratory for computer science. Technical report 
MIT/LCS/TR-212, Jan. 1979. 

11. C. Schnorr, “Efficient signature generation by smart cards”, J. Cryptology, 
Vol. 4, (1991), pp. 161-174. 




Lattice Attacks on NTRU 



Don Coppersmith* Adi Shamir** 



Abstract. NTRU is a new public key cryptosystem proposed at Crypto 
96 by Hoffstein, Pipher and Silverman from the Mathematics department 
of Brown University. It attracted considerable attention, and is being 
advertised over the Internet by NTRU Cryptosystems. Its security is 
based on the difficulty of analyzing the result of polynomial arithmetic 
modulo two unrelated moduli, and its correctness is based on clustering 
properties of the sums of random variables. In this paper, we apply new 
lattice basis reduction techniques to cryptanalyze the scheme, to discover 
either the original secret key, or an alternative secret key which is equally 
useful in decoding the ciphertexts. 



1 Introduction 

NTRU [1] was proposed at the rump session of Crypto 96, as a fast public-key 
encryption system. The authors explored several potential attacks against the 
scheme, but concluded that they are extremely unlikely to succeed. In particular, 
they considered the standard lattice-based attack and showed that the attackers 
could not expect to find the secret key by computing the shortest vector in this 
lattice with the LLL [3] algorithm, since the secret key was surrounded by a 
“cloud” of exponentially many unrelated lattice vectors. 

In this paper we present another lattice-based attack, which should either 
find the original secret key f or an alternative key f' which can be used in place 
of f to decrypt ciphertexts with only slightly higher computational complexity. 
We construct a lattice L, each of whose elements corresponds to a potential 
decrypting key f'; the effectiveness of f' for decrypting is directly related to the 
length of the corresponding lattice element. If we find any vector as short as f , 
we can decrypt easily. If, instead, we find several vectors each being 2 or 3 
times the length of f , then we can obtain partial decryptions from each potential 
key and piece them together to form a total decryption. 

The paper is organized as follows. Section 2 gives some notation, and intro- 
duces a norm which will be useful to our analysis. In Section 3 we sketch the 
NTRU cryptographic system. In Section 4 we describe the lattice L. Section 5 
relates the probability of success to the lengths of the recovered short vectors in 
the lattice. 



* IBM Research, Yorktown Heights, NY, USA; copperSwatson. ibm.com 
** Dept. Computer Science, The Weizmann Institute of Science, Rehovot 76100, Israel; 
shamirawisdom . woizmaim .ac.il 



W. Fumy (Ed.): Advances in Cryptology - EUROCRYPT ’97, LNCS 1233, pp. 52-61, 1997. 
© Springer-Verlag Berlin Heidelberg 1997 




53 



2 Notation 

We denote the integers by Z and the integers modulo g by Z,. i\T is a positive 
integer. We will identify the vector space (respectively Z ^ ) with the ring of 
polynomials Z[X]/(X^ - 1) (resp. Zq[X\l{X^ - 1)), by 

f = (/o,/i,-..,/7v-if = 

A boldface letter f represents a vector. The convolution of two vectors is given 
by f * g where 

i-\-j=k (mod N) 

this is the ordinary polynomial product in Zq[X\({X^ - 1)) and is both com- 
mutative and associative. The vector of all I’s is denoted by 1. The matrix of all 
I’s is J, and the identity matrix is I. The symbol denotes a multiplicative 
inverse of p modulo q. 



2.1 Approximations to a norm 
For X € Z^ define 

X = i Ef=o^ 0., 

|x|x = -x)^) ' 

So |x|j^ is the standard deviation of the entries of x, scaled by \/N. This norm is 
invariant under the operation of adding tl to x, that is, adding t to each entry 
Xi. It is the norm of the projection of x orthogonal to the vector 1, hence the 
± symbol. 

In some circumstances we will use the approximation 

|x*y|x « |x|_Llyli- (1) 

Indeed, letting Xi —x. + Wi and yj — y + zj we find 

|x * yll = EJ(x * y)fc - xTy]2 

-E.(w*z)i 

= Efc (Ei (Ej ^j^k-j) , 

with indices being considered modulo N. For each product WiZk-iWjZk-j counted 
in the sum, the difference j-i between the w- indices is the same as the difference 
{k — i) — (k - j) between the z-indices. Letting d = i — j denote this common 
difference, and setting £ = k — j, we rearrange the sum as; 

|x * yll = Ed (Ei WiWi+d) (Er ^tzi+d) 

= (Ei ^1) (Er zj) + Ed^o (Ei mwi+d) (Er ZiZf+d) 

= |x|l |y|l + Ed?io (Ei u>m+d) (E^ ztzt+d) 




54 



Now let us assume that w and z behave like random vectors. For each of the N—l 
terms corresponding to nonzero d, the autocorrelation coefficient WiWi-^-d 
should be smaller than the corresponding sum with d — 0, namely 
by a faetor of about 1/\/N, and similarly with the autocorrelation coefficient 
so that the product should be smaller by a factor of 1/iV. Further, 
these terms come in with random sign, so that some cancellation should occur. 
So, in the random case, we can assume that the second sum (over nonzero values 
of d) is much smaller than the first term, corresponding to d = 0. This leads us 
to the approximation (1); 

|x * y|x = |y|x + smaller terms 

|x*y|_L = jxjj^ |y|j^ + smaller terms 

3 The NTRU system 

We sketch the NTRU system, as developed in [1]. We give sample parameters, 
based on the authors’ original recommendations, to aid the reader’s intuition, 
but with the caution that these parameters can be modified in future versions 
of the NTRU system. 

Public parameters include three positive integers, (N,p,q), with p and g 
relatively prime. For example we might have N = 167, p = lb, q = 1024. Part 
of the public key is a vector h € Z^. The space of allowable plaintext messages 
mis Sm = {0, 1, . . . ,p - 1}^. 

There are additionally spaces 

S^,5f,5g C Zf 

of allowable values of vectors </>, f and g, to be described in the next few para- 
graphs. For example, we might have each of S,j, — Sf = 5g being the collection 
of all fV-vectors with d = 71 entries of 1 and N — d = % entries of 0. 

The private key contains vectors f £ Sf and g £ 5g related to the public 
key h, and integers which need not be kept secret. The values f and g 

satisfy 

pg = f * h (mod q). (2) 

The private key also includes a vector f“^, calculated from f, satisfying 

f + = (1,0,0,..., 0)'^ (modp). 

This product corresponds to the polynomial 1, 

Encryption: To encrypt the plaintext m, the encryptor randomly selects 
(j) £ and computes the ciphertext 

e = 0*h-f-m (mod g). 

A different random choice of (f> is made for each plaintext m, 




55 



Decryption: The decryptor computes 

a = f*e = (f*h)*d> + f*m (mod q), 



and adjusts the entries by 



bk=ak + t- 




if ajt < s 
if Ufe > s. 



Notice that 

(f + h) * 0 = pg * 0 (mod q). 

Parameters are chosen so that both 1 + pg * and f 2 1 + f * m are “small 
enough” : the entries of the non-modular expression 



b = fl+pg*^ + f*m 



are guaranteed to lie between —q/2 and q/2 most of the time. If in fact all 
entries lie in that range, the decryptor can switch from computation modulo q 
to computation modulo p, and calculate 

b * fp ^ (mod p). 

This removes dependence on the unknown <j>, and recovers m. 

We estimate the bound on the elements of b which still make this computa- 
tion possible. Using the approximation (1) we can say that 

|tii + pg*d»L «p|glj. Id’ll 

where is the norm of a typical element of S^. (We can arrange things so 
that all such <f) have the same norm.) Similarly 



|t2l -I- f * m|j^ fs |f|j^ |m|_L . 

Making the second assumption that the two vectors til-fpg*d* t 2 l+f*m 
are nearly orthogonal, we would obtain 

|b|^ = |tl -I- pg * -t- f * m|5_ ~ |*il + Pg + d*li -I- 1 * 2 ! + f * 

« |gll Id’ll + |fll IHI . 

which we choose to write as 

|b|l « (y Id’ll) lgll + (|m|l) |f|l ■ (3) 

Make the third assumption that the entries of b are normally distributed^ 
with mean near 0 (this governed our choice of i) and standard deviation a w 
1^1 X /v^- The decoding procedure will fail if any of the N entries 6* exceeds 
g/2 in absolute value. 

In the table below, we see the effect of letting q/2 be a reasonable multiple 
(3,4,5 or 6) of the standard deviation a. The second column gives the probability 
that an individual term |6j| will exceed q/2 (and hence be misinterpreted), and 




56 



the third column gives the probability that at least one of the N — 167 terms 
16jl exceeds q/2 (and hence the decryption is incorrect). 





Individual 


Failure among 




failure 


167 entries 


(g/2)/o- 


p = Prob{|6j) > g/2} 


l-(l-p)^ 


3 


2.70 X 10-^ 


3.63 X 10-1 


4 


6.33 X 10~® 


1.05 X 10-2 


5 


5.73 X 10-^ 


9.57 X 10-® 


6 


1.97 X 10~® 


3.30 X 10-1’ 



So if q/2 = b(T (that is, a — 9/IO) the procedure will correctly decode most 
messages. We would want to arrange parameters so that <r < q/10, and a smaller 
value of <r would ensure higher reliability. 

Remark: We are essentially using an estimate on the norm of b to pro- 
duce an estimate of its norm; the bound is relatively easy to estimate, 
but the L°° bound is what is required for error-free decoding. 



4 The lattice 

We have seen that reliability of decoding is directly related to the ratio of a « 
|b|j^ !\/N to q. In turn, equation (3) gives an estimate of |b(j^ in terms of jflj^ 
and |g|j^, where pg = f * h (mod q). 

Let us consider an alternate iV-vector f' which the cryptanalyst can use 
in place of the correct value f. Calculate from equation (2) a value g', and 
from equation (3) an estimate of |b'|j^. If this value |b'|j^ is comparable to |b|j^ 
(smaller or not much larger), then the cryptanalyst will be able to mimic the 
legitimate decoder, using f' and g', to decode the message. 

Thus we find the system of equations 

pg' = f' * h (mod q) (4) 

lb'll « (p^ l^^ll) Ig'll + (|m|l) |f'|l . (5) 

Consider \(()\^ and |m|j^ to be held constant at their “typical” values. Setting 



we are left with 



Pl0l± ’ 



N 



It is a simple matter to build a lattice L, whose elements correspond to 
choices of f' and corresponding g', and with the squared norm of the elements 
being 

Ig'll TA^if'll- 




57 



Start with a 2n x 2n matrix L': 



L' = 



XI 0 
H ql ■ 



Here I is the N x N identity matrix, and H is the circulant matrix whose 
columns are circularly shifted versions of the vector (mod q); recall p~^ 

is an integer satisfying p~^p = 1 (mod q). 

A vector in the column span of L' will be of the form 



T,x 



L' 



f 




Af'" 


X 




.g'. 



where g' satisfies pg' = f ' * h (mod q), and x is an arbitrary integer vector 
representing multiples of q. 

The presence of H in the lower left of L' insures the relation g' = * f' 

(mod q), and the block ql serves to perform the reduction modulo q. 

The vectors Af ' and g' will generally have nonzero mean, but we are interested 
in the orthogonal norms and |g'|j^. To this end, subtract from each column 
vector V in the top half of L' the constant vector (v)l so that the result has zero 
mean; similarly each vector w in the bottom half of L' is replaced by w - (w)l. 
Our new matrix L is then 



rA/-(A/iV)J 0 
[ H-aJ qI-(q/N)j\' 

where J is the matrix of all I’s, and a is a suitably chosen scalar. 
Remark: L has only 2N -2 independent vectors, because 



1 

0 



= L 



0 

I 

1 



= 0 



Now a typical vector is 

Vf 



— T 






A(f'-(_f')l)' 


,x - ^ 


X 




. g' - (g')l . 



and the square of its norm is 

If'll + le'll = [iHl |f'll +p" I0ll Ig'll] 






Thus the norm of the lattice element V£< is directly related to the suitability 
of as a decrypting key. 

Remark: We also need f' to be invertible modulo p, so that fp ^ can be 
used in the decrypting process. This seems to be a weak requirement. 

For a given vector f', select x to minimize this norm, and define 



^ (p|0L)nwn|vf,_jj| = |b‘ 




58 



5 Lengths of suitable vectors 

We have seen that the correct key f should have 

Uf < q/lO 

in order to insure that messages are decoded correctly at least 0.9999 of the 
time. 

If the lattice basis reduction finds a vector f' with, say, rif = qfi, then 
the cryptanalyst can still gain much useful information. The entries b'/. of the 
recovered vector b are likely to be contained in the interval 

[-3a, +3a] = [-3g/ 4, 3g/4] , 

since there are only 167 entries and the probability of any given entry lying 
outside the 3a- interval is about 0.0026. Any entry b',. in the interval [g/4,3g/4] 
(mod q) is unreliable, because it could represent either 6^ or 6'j, — q and still 
lie within the range [— 3cr, 3a]. But entries 6^ in the intervals [0, g/4) U (3q/4,q) 
(mod q) are reliable; one can assume that they represent integers in the range 
(— g/4, qi/4) with no aliasing. We expect a fraction 0.68 of all 6'j, to lie in this 
reliable range. Each represents knowledge of a linear relation among the message 
components im (mod p), namely 

= '^mif'k-i (modp). 

t 

If we find two such vectors and each yielding about 0.68IV linear 
relations (modulo p) among the N entries mi, then we can solve the resulting 
system of linear equations to recover the message m. 

If the recovered vectors f' are somewhat longer, say 

n^/(i) Si 4 X Ti£- 

then we may have to work with faulty partial information: a few of the estimate 
integers b'^ might be incorrect, leading to a few incorrect linear equations among 
a collection of mostly correct ones. Then we will have to resort to techniques 
from error-correcting codes to discover the incorrect equations among the correct 
ones. 

So our success depends on the success of lattice basis reduction methods in 
finding relatively short vectors in the lattice. If we find a vector as short as f: 

rif' < Uf 

then clearly we can use f' as a decrypting key. If we find two vectors not much 
longer than f: 

rijpi{2) ^ 2.5 X 

then each will give us partial information, and we can combine this information 
via linear algebra to recover m. If we find several vectors somewhat longer yet, 

4 X Tl£ 




59 



then we still have a chance, if error-correcting techniques can be applied. 

The Lovasz lattice basis reduction methods [3] are only guaranteed to find a 
vector whose length satisfies 

Tifi < 

which is clearly insufficient. Schnorr [4], [5] has improved the original methods 
by using block techniques; he can find shorter vectors, at a higher computational 
price, than LLL. But it is still not guaranteed to find vectors as short as 

n^i ~ 4nf. 

To summarize: if there are many vectors f' with Uf < Uf then we are likely 
to stumble across one and be able to decrypt. If f is much shorter than all 
other vectors, then we are likely to find f. The only hope for the scheme to 
remain secure is for many vectors to satisfy, say, nf — 10 x rif and hope that 
the lattice basis reduction methods fail to find f among the sea of f'. With 
any improvements in the technology of lattice basis reduction, this temporary 
security would vanish. 



6 Other comments 



The lattice used in our main attack contains linear combinations of the columns 
of the circulant matrix H and appropriate multiples of the identity matrix I. An 
alternative lattice attack is to consider the dual lattice which characterizes all 
the integral solutions of the following homogeneous equation H * f = pg + gk, 
where f, g and k are three vectors with integral unknowns, and p, q are the two 
moduli. This lattice is closely related to that described in Section 4, except for 
the difference between x and |x|j^; it is hoped that this alternative description 
might help the reader’s intuition. 



We consider the set of all the column vectors 



f 

g 



of 2n integers which make 



the n entries in k integral. It is easy to show that it forms a lattice since its 
discrete and closed under addition. This lattice has full dimension 2n (except 
in degenerate cases), and we can find the 2n basis vectors in two groups of n. 
In each group we combine the n column vectors into a matrix, and denote the 
resultant n x n matrices F G and K: 

1. Find a basis for the homogeneous case in which A' = 0. The resultant 
equation is H * F = pG, which can be solved by F = pi and G — H since 
Hpl = pH. 

2. Find a basis for the inhomogeneous case in which K — I. The resultant 
equation is if * F = pG + ql. To solve it, we assume that H is invertible modulo 
p, and find two integral matrices B, C satisfying H * B = I + pC (that is, B 
is the inverse of H modulo p, and C is the matrix of multiples of the modulus 
p in the modular reductions.) Then F — qB and G = qC is & solution since 
H * F = qH * B = ql + pqC, and pG + ql = pqC -t- ql. 




60 



We now combine the two cases into a single 2n x 2n matrix A whose columns 
■fl 

vectors. The matrix A is: 



generate the lattice of 



g 



pi qB 
[H qC • 



The small column vector we are looking for in this lattice has entries of 
zero and one in the top half, and around two or three in the bottom half. We 
believe that for the recommended parameters of the NTRU cryptosystem, the 
LLL algorithm will be able to find the original secret key f as the first half of 
such an unusually short lattice vector. 



7 Extensions 

We understand that the authors of NTRU, after learning the details of our 
attack, are continuing their research into related schemes [2], 

One direction of their research involves schemes similar to NTRU but with 
larger parameters. The expense, for the designers of the system, comes with 
larger public keys and more time-consuming encryption. The added security 
comes from the notion that in a lattice of higher dimension (several hundred) it 
will be computationally harder for the opponent to find high-quality vectors. To 
maintain this security, one must keep ahead of advances in lattice basis reduction 
techniques. 

Another direction of their research involves extensions to noncommutative 
groups. Instead of using a group algebra over Zn (that is, the ring Zq[X]/{X^ — 
1)), one would use a group algebra over a noncommutative group. At the time of 
this writing we have not had sufficient time to analyze these proposed extensions, 
but we hope to be able to comment on the noncommutative version in the final 
version of the paper. 



8 Acknowledgments 

We thank Claus Schnorr for insight into lattice basis reduction methods. 



References 

1. J. Hoffstein, J. Pipher and J. H. Silverman, “NTRU: A new high speed public key 
cryptosystem,” Manuscript, August 30, 1996; presented at rump session of Crypto 
96. 

2. J. Hoffstein, J. Pipher and J. H. Silverman, private communications, October 1996 
and January 1997- 




61 



3. A. K. Lenstra, H. W. Lenstra and L. Lovasz, “Factoring Polynomials with Integer 
Coefficients,” Matematische Annalen 261 (1982), 513-534. 

4. C. P. Schnorr, “A hierarchy of polynomial time lattice basis reduction jilgorithms,” 
Theoretical Computer Science 53 (1987), 201-224. 

5. C. P. Schnorr, “Block reduced lattice bases and successive minima,” Combina- 
torics, Probability and Computing 3 (1994), 507-522. 




Kleptography: 

Using Cryptography Against Cryptography 



Adam Young* and Moti Yung** 



Abstract. The notion of a Secretly Embedded Trapdoor with Univer- 
sal Protection (SETUP) has been recently introduced. In this paper we 
extend the study of stealing information securely and subliminally from 
black-box cryptosystems. The SETUP mechanisms presented here, in 
contrast with previous ones, leak secret key information without using 
an explicit subliminal channel. This extends this area of threats, which 
we call “kleptography”. 

We introduce new definitions of SETUP attacks (strong, regular, and 
weak SETUPs) and the notion of m out of n leakage bandwidth. We 
show a strong attack which is based on the discrete logarithm problem. 
We then show how to use this setup to compromise the Diffie-HeUman key 
exchange protocol. We also strengthen the previous SETUP against RSA. 
The strong attacks employ the discrete logarithm as a one-way function 
(assuring what is called “forward secrecy”), pubhc-key cryptography, and 
a technique which we call probabilistic bias removal. 



Key words: cryptanalytic attacks, kleptography, leakage bandwidth, Dis- 
crete Log, DifRe-Hellman, RSA, design and manufacturing of cryptographic de- 
vices and software, black-box devices, subliminal channels, information hiding, 
SETUP mechanisms, randomness, pseudorandomness. 

1 Introduction 

Numerous problems and subtleties exist when constructing a cryptosystem for 
use, since designing and manufacturing secure cryptosystems is a demanding 
task. Some of these problems are immediate and known, yet they require diligent 
engineering. Other issues are more involved or are yet unknown. 

One area where problems have been recognized is in the information-hiding 
aspect of cryptosystems, and in particular the existence of “subliminal channels” 
in cryptosystems. Subliminal channels can be used to convey information in the 
output of a cryptosystem in a way that is different from the intended output. 
This notion was put forth by Simmons [Sim85, Sim94]. Other works on subliminal 
channels are [Des90] which showed an RSA channel and [KL95] which showed 
how to hide a shadow public key inside a key distribution method. The usage of 
subliminal channels expose information universally (to anyone). 

* Dept, of Computer Science, Columbia University Email: ayoung@cs.columbia.edu. 

** CertCo, NY, USA. Email: moti@cs.columbia.edu, moti@certco.com 



W. Fumy (Ed.): Advances in Cryptology - EUROCRYPT ’97, LNCS 1233, pp. 62-74, 1997. 
© Springer-Verlag Berlin Heidelberg 1997 




63 



Recently, it was shown that a cryptosystem, when implemented as a black- 
box (i.e., when the user has only input/output access to the hardware or software 
cryptographic facility), can be designed such that it gives a unique advantage 
to the attacker. This is accomplished using SETUP mechanisms [YY96]. SE- 
TUPS are are unnoticeable in black-box environments and they resist reverse- 
engineering eus well (the device may still use a strong random source). 

Indeed, black-box cryptography is both endorsed and employed by the U.S. 
government (“trusted” hardware devices). It is also in use in the private sector 
(e.g., embedded cryptography in devices like cellular phones). It is often the case 
that crucial cryptographic key management functions are implemented in hard- 
ware and that companies that produce commercial software implementations of 
cryptographic systems do not publicize source code to protect proprietary infor- 
mation. Even when specifications are available, users rarely check the validity or 
compliance of the available implementation against the specifications. 

Previously, the SETUP threat employed subliminal channels and combined 
subliminal channels with public key cryptography (with a private key known 
only to the attacker). In this paper we present various “kleptographic threats”. 
Kleptography, in turn, is defined as the “study of stealing information securely 
and subliminally” ; we limit ourselves to the context of cryptographic systems. 
The kleptographic attacker can steal the secrets securely, and in an exclusive 
and subliminal manner. 

The attack that we present involves public-key cryptography and strong one- 
way functions, and is in the same spirit as SETUP attacks (avoiding trivial 
attacks on the pseudorandomness of the device and similar simple attacks where 
reverse engineering implies knowledge of the future states of the device). What 
is new in this work is that we show how to implement SETUPs without using 
explicit subliminal channels. Rather than employing an “information leaking 
channel,” the implementation, in conjunction with the internal cryptographic 
tools, generates opportunities for leaking information. 

In this paper; 

1. We refine the notion of a SETUP [YY96] and define the notions of weak, 
regular, and strong SETUPs. 

2. We expand the range of setup attacks that can be carried out on crypto- 
graphic devices. We define (m, n)-leakage bandwidth. 

3. We present a setup mechanism that employs the discrete logarithm problem; 
(previously, only weak attacks were known on discrete log systems). We show 
how it can be embedded within a device that conducts Diffie-Hellman key 
exchanges. 

4. The mechanism is used to strengthen the SETUP in RSA keys (presented in 
[YY96]), so that after reverse-engineering of the RSA key generation device, 
one cannot tell whether the past keys that were generated were generated 
by a kleptographic mechanism or by a regular one. 

5. A key technique that is presented is “probabilistic bias removal”. Bias re- 
moval simply eliminates the biases of a distribution caused by the algebra 
employed by the setup mechanism within a cryptographic device. 




64 



2 Definitions and Background 

A Secretly Embedded Trapdoor with Universal Protection is an algorithm that 
can be embedded within a cryptosystem to leak encrypted secret key information 
to the attacker in the output of that cryptosystem [YY96]. This encryption is 
performed by a PKC function E that is contained within the cryptosystem. E 
may be a probabilistic public key encryption function [GM84]. The outcome is 
a strong ‘encryption’ that is leaked in a fashion that is noticeable only to the 
owner of the private portion of E. The following is the definition of a (regular) 
setup, which is based on the definition from [YY96], 

Definition 1. Assume that C is a black-box cryptosystem with a publicly known 
specification. A (regular) SETUP mechanism is an algorithmic modification 
made to C to get C such that; 

1. The input of C agrees with the public specifications of the input of C. 

2. C computes efficiently using the attacker’s public encryption function E 
(and possibly other functions as well), contained within C . 

3. The attacker’s private decryption function D is not contained within C and 
is known only by the attacker. 

4. The output of C agrees with the public specifications of the output of C. 
At the same time, it contains published bits (of the user’s secret key) which 
are easily derivable by the attacker (the output can be generated during 
key-generation or during system operation like message sending). 

5. Furthermore, the output of C and C are polynomially indistinguishable (as 
in [GM84]) to everyone except the attacker. 

6. After the discovery of the specifics of the setup algorithm and after discover- 
ing its presence in the implementation (e.g. reverse-engineering of hardware 
tamper-proof device), users (except the attacker) cannot determine past (or 
future) keys. 

2.1 Weak SETUP 

Definition 2. A weak setup is a regular setup except that the output of C and 
C are polynomially indistinguishable to everyone except the attacker and the 
owner of the device who is in control (knowledge) of his or her own private key 
(i.e., requirement 5 above is changed). 

It may seem that a weak setup is cryptographicaly insecure. Indeed it is 
in the sense that it can be detected in poly-time by the owner of the device 
(but not compromised by anyone). Note however, that the user (owner) must 
first assume that the device in question contains a SETUP, and must also know 
exactly how to test the black-box device for the presence of it. Weak SETUPs 
are sufficient for the case where the end users are in collaboration. An example 
of this (as shown in [YY96]) is the prisoner’s dilemma of Gus Simmons [Sim85]. 
In this scenario, Alice is in prison and wants to leave. She contaminates her own 




65 



cryptosystem with a weak SETUP so as to leak her private key to Bob through 
digital signatures. After securely leaking her private key she can send data to 
him subliminally through digital signatures. 



2.2 Strong SETUP 

The key aspect of a regular setup is that we assume that the users do not have ac- 
cess to the actual implementation of C. This is in fact necessary for polynomial 
indistinguishability. Now assume that devices/implementations sometimes use 
the contaminated algorithm (namely, the setup) and sometimes use the uncon- 
taminated (setup-free) version. Now we can make an interesting strengthening. 

Definitions. A strong setup is a regular setup, but in addition we assume that 
the users are able to hold and fully reverse-engineer the device after its past usage 
and before its future usage. They are able to analyze the actual implementation 
of C and deploy the device. However, the users still cannot steal previously 
generated/future generated keys, and if the setup is not always applied to future 
keys, then setup-free keys and setup keys remain polynomially indistinguishable. 

A strong setup is a much more powerful notion than a regular setup. To 
exemplify, consider the following problem. Suppose that we are given a cryp- 
tographic device such that with 50% probability it uses the setup mechanism, 
and with 50% probability it behaves normally (based on a random bit, say). 
The claim is that if the setup is a strong setup, then a user who is handed the 
output of such a device cannot tell with probability greater than 50% whether or 
not the output contains hidden secret key information. The obvious assumption 
being made here is that the user did not observe the computation (randomness) 
that yielded the output in question, but otherwise he can observe the device’s 
algorithms and control. 

This notion is useful to an attacker as protection against the threat of “key 
revocation” , since even if the device is reverse-engineered, previously generated 
setup keys are indistinguishable from normal ones. Furthermore, the decision as 
to which keys to steal may be dictated by a secret policy used or given as input at 
the time of stealing. Mathematically, the notion gives an extra challenge beyond 
the polynomial indistinguishability based on the public key of the attacker and 
the pseudorandomness which is protected by the device. In fact, the involvement 
of a hard to invert one-way function and the notion of “forward secrecy” seems 
to be needed (“forward secrecy” is the notion that applies to key distributions - 
it requires that compromising the long lived key should not give away previous 
session keys distributed using the compromised long-lived key). The strong setup 
further requires that the distributions of the cryptosystem and the setup one 
be “indistinguishable” - even when given the public keys and tools embedded 
inside the black-box device. A weak setup in ElGamal signature was presented in 
[YY96], which is all they achieved based on algebraic properties of the discrete 
logarithm problem. 




66 



2.3 Leakage Bandwidth 

We now define the notion of leakage bandwidth in cryptosystems. It defines what 
can be leaked in cryptographic systems (e.g., key generation or key exchange) 
that are repetitively invoked. 

Definition 4. A (m, n)-leakage scheme is a SETUP mechanism that leaks m 
keys/secret messages over n keys/messages that are output by the cryptographic 
device (m < n). 

The discrete log attack that we present is a (l,2)-leakage scheme where in 
two key generations we are able to leak one key to the attacker. We will show 
how this scheme can be extended to become a (m, m + l)-leakage scheme. 



3 Discrete Log based SETUP against Diffie-Hellman 

Previously, the underlying strategy was to somehow modify a cryptosystem to 
‘display’ the public key encrypted ciphertext of secret key information in the 
output of the cryptographic device. Such modifications are difficult to come 
by, since the modification must not interfere with the normal operation of the 
device, and the SETUPs output must also be embedded in the normal output 
of the device. Hence, the data that is output by the device is dual in nature. A 
subliminal channel is the traditional vehicle for leaking such data, since a channel 
has a known bandwidth and does not interfere with the expected operation of a 
device. What we will now present is a different approach to leaking data securely. 

We will now briefly review the Diffie-Hellman key exchange protocol [DH76]. 
Alice and Bob want to agree on a secret key using an insecure communication 
channel. Diffie-Hellman uses the parameters p, which is a large prime, and g 
which is a generator modulo p. These parameters are public. To establish a 
secret key k, they do the following. Alice generates a value a randomly, where 
a < p — 1. Bob generates a value b in the same fashion. Alice sends Bob A = 

mod p and Bob sends Alice B = mod p. They can both compute k, where 
k = a'’ =■ (mod p). 

The primary attack that is presented in this paper introduces a setup for 
Diffie-Hellman. Let p is a large strong prime and gr is a generator mod p. The 
user’s private key is x where x is less than p— 1 (as in ElGamal scheme [E1G85]). 
The user’s public key is (y,g,p) where y = g^ mod p. To encrypt a message 
m (m < p), k is chosen randomly such that k < p — 1. We then compute 
r = g'‘ mod p, and s = i/*m mod p. The ciphertext of m is the pair (r, s). To 
recover m, we compute s/r® mod p. 



3.1 Discrete Log Attack 

Suppose that the only information that we are allowed to display is g” mod p 
for some c < p - 1 (as in Diffie-Hellman). The question is, how can we leak 




67 



c efficiently? The following is a way to leak a value, call it C2, over the single 
message mi = mod p, such that the subsequent message m2 = mod p 
is compromised. In this attack we assume that the device is free to choose the 
exponents used. Let the attacker’s private key be X, and let the corresponding 
public key be Y. Let IT be a fixed odd integer, and let H he a, cryptographically 
strong hash function. WLOG, assume that H generates values less than <j>{p)- 
The following algorithm describes the operation of the Diffie-Hellman device 
when it is used two times. 

1 . For the first usage, ci G Zp-\ is chosen uniformly at random 

2 . The device outputs mi = jf'* mod p. 

3 . Cl is stored in non-volatile memory for the next time the device is used. 

4 . For the second usage <, G { 0 , 1 } is chosen uniformly at random. 

5 . Z = tnodp. 

6. C2 = H{z) 

7 . The device outputs m2 = 3'’ mod p. 

The attacker need only passively tap the communications line, and obtain 
mi and m2, in order to calculate C2- The value for C2 is found as follows. 

1. r = mi "5*’ mod p 

2. Zi = mi/r^ mod p 

3 . if m2 = mod p then output H{zi) 

4 . Z2 = zi/g^ 

5 . if m2 = fjiQfi p tjjen output H{z2) 

The value C2 can be used by the attacker to determine the key from the second 
DH key exchange. Note that only the attacker can perform these computations 
since only the attacker knows X. The reason for using W will become clear in 
the next section. 

What is strange about the above setup mechanism is that we didn’t choose 
C2 randomly and then public key encrypt it. Instead, we designated 5'^ mod p 
to be the ElGamal encryption of something, and then calculated what that 
something Wcis. Note that jf”' mod p acts as both the first and second parts of 
the ElGamal encryption of z. So, we are doing ElGamal encryptions (r, s), where 
r = s. This is made possible due to fact that the device is free to choose its own 
random parameters. Hence, it is possible to leak an exponent efficiently using 
exponentiated values g'^ mod p alone. The discrete log attack, in effect, securely 
discloses a pseudo-random value C2 to the attacker and then deliberately uses 
it in a subsequent message. We call z a hidden field element with respect to 
Y, since it is an element of Zp that can only be recovered using the trapdoor 
information in Y (or at least as conjectured). As described, this is a (l, 2 )-leakage 
system (note that we never said we could choose our messages explicitly!). 

In order for C2 to be able to take on any value less than p — 1 we assume that 
gi = , g2 = g~^‘', and gs = g^~“^ are generators mod p. 

Claim 1 z is uniformly distributed in Zp. 




68 



Proof. We have the equation mod p. Solving for z, we get 

2 = jiijfg* mod p, where i is 1 or 2 . But jf,- = g^ mod p, for 

some integer u. So, z = mod p. Since cj is chosen uniformly at random, 

the claim holds. QED. 

If i/ is a pseudo-random function [GGM 86 ], then C2 can take on any value 
less than p — 1 as desired. Note that the attack works when (p — l )/2 is a prime 
(and it also works when it is composite). 

3.2 Security of Discrete Log SETUP Mechanism 

There are two issues to consider with respect to the discrete log attack. It must 
be intractable for people other than the attacker to recover C2- It must also 
be intractable for people other than the attacker to detect that this SETUP 
Mechanism is in use. We consider these in turn. 

Claim 2 The Discrete Log SETUP is secure iff the DH problem is secure. 

Proof. Suppose we have an oracle A that solves the DH problem. So, A{g'‘,g'^) — 
S'"". Let / = y). Clearly, / or f/g^ is z. From z we can readily 

obtain C2. Suppose we have an oracle B that breaks the Discrete Log SETUP 
mechanism where B{y,mi) = (21,22). Here 21 corresponds to t = 0 and 22 
corresponds to t = 1 . We have and g” and wish to find . We can use B to 
solve the DH problem as follows. We run B{g'^,g^) and take 21 of the output. 
We then calculate / = g'^{g'‘)~^zi. It follows that z = mod p. QED. 

We have shown that the setup is secure in the sense that a user, not knowing 
the random choices of exponents of the device, cannot determine the second 
exponent C2- It remains to show that users cannot detect the presence of the 
Discrete Log SETUP. 

Claim 3 Assuming H is a pseudorandom function, and that the device design is 
publicly scrutinizable, the outputs ofC andC are polynomially-indistinguishable. 

Proof. We know that z is uniformly distributed in Zp from Claim 1 . Therefore, 
since H is a. pseudo-random function (whose domain is Zp-i), C2 is distributed 
uniformly in Zp-i. So, the exponentiated values that are output by C and C 
have polynomially indistinguishable probability distributions. QED. 

From Claims 2 and 3 it follows that 

Theorem 1 The Discrete Log problem has a strong setup implementation, as- 
suming DH is hard. 



It remains to explain why the value W was used in the setup mechanism. 
This is used as a precaution in the case that H were found to be invertible. 
This precautionary mechanism is intended to further insure undetectability for 




69 



black-box implementations. So, suppose that the device is a black-box, the choice 
of exponents are made available to the user, and H is invertible. Furthermore, 
suppose that the outcome of t is always zero (i.e., W isn’t used). WLOG, assume 
that a = 1 and 6 = 0 is publicly known. The user can detect the presence of 
the setup probabilistically as follows. The user generates several Diffie-Hellman 
values, and corresponding exponents. Consider one such pair of exponents Ci 
and C 2 . Since H is invertible, the user can calculate z. But, the user does not 
know Y since the device is a black-box. The user hypothesizes that the attacker’s 
private key X is odd (so isn’t a generator). If this is the case, then the user 
would expect that if ci is even, then g“^^/z would be a residue mod p. If ci 
where odd, then the user would expect that g‘' jz would be a non-residue mod 
p. Now suppose that the user hypothesizes that X is even. Then if ci is odd or 
even, g'^^ jz is always a residue. Hence, under these circumstances, the user can 
detect the presence of the setup on a probabilistic basis by looking for quadratic 
residues (or non-residues) modulo p. 



3.3 Strong Setup in Diffie-Hellman 

The discrete log setup attack can be used to implement a strong setup in Diffie- 
Hellman, so long as the device does not output the exponents it chooses to 
the user. Implementing the attack is straightforward. The attacker includes his 
or her Y within Alice’s device. The attacker then need only passively tap the 
communications line. It is assumed that g and p remain fixed. 

Theorem 2 The Diffie-Hellman key exchange has a (/, 1-t-l)- leakage bandwidth 
SETUP implementation. 

We need to show that we can increase the bandwidth of the attack dramati- 
cally. We can do so by chaining together the values that are leaked. We calculate 
C 3 = H{z) using the equation Y"’^'‘'^^g'^*z — mod p. The value of p®* mod p 
is then used in the next key exchange. We continue this process, say I times. This 
permits the leakage / contiguous Diffie-Hellman keys. After I times a new ci is 
chosen entirely random, thus insuring that all such contaminated devices behave 
differently. Thus, the attack can be expanded to become a (l,l-|-l)-leakage setup. 
Note that this attack requires the storage of a small amount of state information 
to work. 

4 Probabilistic Bias Removal Method (PERM) 

Consider the following effective, albeit trivial, setup attack on a hybrid cryptosys- 
tem based on RSA and IDEA (PAP is a kleptographic version of PGP where 
‘Good’ is changed to ‘Awful’ [YY96]). This version contains the attacker’s 512 
bit RSA public key and requires that its users use 1024 bit public keys. PAP 
operates as follows. After the user has given PAP his or her own public and 
private keys, PAP recovers the users prime p, where n = pq. PAP then divides p 




70 



into two equal length bit-strings and then probabilistically encrypts both using 
the attacker’s public key. The result is two ciphertext bit-strings each of which 
is 512 bits in length. Since the key size of IDEA is 128 bits, PAP proceeds to 
leak these bit-strings by using them as the next eight symmetric keys used by 
the program. This constitutes a (l,8)-leakage setup attack. 

If the attacker succeeds in retrieving enough of these session keys (e.g., by 
convincing the user to e-mail him stuff), then he can compute the user’s private 
key. If the user suspects his PGP is really PAP, then he cannot simply encrypt 
his prime p and compare, since the encryptions were probabilistic. However, if 
the user generates enough symmetric keys using PAP he can detect the contam- 
ination. The method for doing so was noted by [Sch] in regards to the version of 
PAP in [YY96]. Note that each of the two ciphertext bit-strings that are leaked 
are each less than the attacker’s public modulus N. The output of the device is 
therefore biased towards outputting session keys, which when concatenated in 
sets of four, are less than N, whereas the values should be uniformly distributed 
in {0, 1}^^^. This is in fact a very general problem in kleptography, since it is 
public key encrypted values that are publicly displayed. 

An abstract version of the ‘biasing problem’ can be stated as follows. We are 
given a value x that is uniformly distributed in [1..R], and we want a value x' 
that is uniformly distributed in [l-.S], where R> S/2. Furthermore, we require 
that X be easily obtainable from z'. We will now describe our Probabilistic Bias 
Removal Method (PERM) which accomplishes this. Assume that we have access 
to an unbiased coin. We flip the coin and obtain either heads or tails. If s < S — R 
and we get heads then we set x' = x. But, li x < S — R and we get tails then 
we set a:' = 5 — i:. If X > 5 — il and we get heads, then x' = x. II x> S — R 
and we gets tails then we repeat the entire algorithm from the beginning. It is 
clear that x is readily obtainable from x', since x — x' unless x' > R, in which 
case x — S — x' ■ 

Claim 4 x' is uniformly distributed in S. 

Proof. X is chosen uniformly at random from [1..R]. So, the probability that a 
particular x is chosen is l/R. In the case that x < S — R, x' will be set to x 
with probability 1/2R and x' will be set to 5" — x with probability \/2R. Thus 
the values of x' at the beginning and ending of the range of S are uniformly 
distributed. It remains to show that the values in the middle have the same 
probability of occurring. If x > 5 — R, then x' will be set to x with probability 
1/2R. If the toss comes out tails, then the experiment is repeated. QED. 

Note that in the version of PAP presented above, if we take R — Zn* , the 
values 1, p, and q are not in R. Such minute discrepancies can be ignored however. 

5 Strong Setup in RSA Key Generation 

In jYY96] a setup for RSA [RSA78] key generation was proposed. This setup 
constitutes a regular setup but can be modified to be a strong setup. To see why 




71 



the previous attack does not constitute a strong setup, consider the following. 
The user knows his public modulus n, his public exponent e, and his private 
exponent d. From these he can factor n and recover the secret primes p and q. If 
the user knows exactly how the attack is implemented (i.e., the attacker’s public 
key, the fixed symmetric key, etc.), then he can detect the mechanism based on 
p and n. The user simply encrypts p in the same way as the mechanism would 
and compares the result to the upper order bits of n. If they match, then he has 
successfully distinguished C" from C in poly-time. However, the setup as stated 
is a regular setup, since knowledge of the fixed symmetric key is needed to detect 
any possible bias in the output. 

We will now describe a modification to the setup based on the discrete log at- 
tack that constitutes a strong setup. This version of PAP contains the attacker’s 
ElGamal public key (Y, g, P). P is the same size as the prime p being generated. 
The attacker keeps his private key X secret. Let a — G(h, c) denote a pseudo- 
random function G that when applied to the data b using the key c produces a 
value a. Let M be the number of bits in the representation of P. Finally, let K 
be a fixed symmetric key which need not be secret that is included within the 
device. Below is the pseudo-code for the setup attack. 

1. choose Cl randomly where ci < P — 1 

2. solve for z in — gCi p discrete log attack) 

3. remove the bias of z to get z' using the PERM (assuming that the input of 
H needs to be distributed uniformly in some domain larger than P), goto 
step 1 if repeat is necessary 

4. set z" = H(z') 

5. set lowest order bit of z" to 1 (so z" is odd) 

6. set p = z" 4- num where m/m is the smallest positive integer that makes p 
prime (increment in steps of 2 and check odd values for primality. We assume 
that num < Bi where Bi is some constant) 

7. apply PERM to mod P to get a value v, repeat step 6 as necessary 

8. for (/ = 0;/ < B 2 \ /4-+) do steps 8 through 12 

9. U = G{v,K + i) 

10. choose the value RND uniformly at random from {0, 1}^ 

11. Let [U][RND] be the concatenation of the bit-strings U and RND 

12. solve for q in the equation [U][RND] = pq + r 

13. if g is prime then set n = [U][RND] — r and goto step 14 

14. goto step 1 

15. calculate the RSA exponents e and d 

To find out if a given public key was created using PAP, the attacker does 
the following. He first sets U to be the upper order bits of the victim’s public 
modulus n such that there are M bits to the right of this value. He then decrypts 
U using K -t- / and where i ranges from 0 to S 2 - 1 • If any of the resulting values 
is greater than or equal to N, then a toss of tails occurred in the last application 
of the PERM, so the correct value for mod P needs to be calculated. The 
attacker then decrypts all of the values for mod P using his private key to 




72 



get the set of possible values for z. Since the PERM was used, there are at most 
two possible values z' for each z. For each z\ we compute z" — H(z') and set 
the lowest order bit of z" to one. We then increment in steps of two to get the 
set of candidate values for p. Like before, we increment in steps of two to check 
only odd values. The number of candidate values are limited by the value B\ . If 
any of one of the resulting values divides n, then the attacker has successfully 
factored the victim’s modulus. If a factor isn’t found, then the attacker decrypts 
[7+1 and proceeds as before. Note that since the PAP ignores the remainder 
upon dividing [U][RND] by p, it is possible that a borrow bit modified the upper 
order bits of n. It is for this reason that the attacker must try ?7 + 1 as well. If 
by then, a factor isn’t found, the attacker concludes that his version of PAP was 
not used to generate the public key. 

A few explanations for why PAP operates in this way are in order. PAP 
applies bias removal to gf'’* mod P to prevent statistical detection of the setup 
mechanism. We assume that H is a pseudo-random function, so we did not 
apply bias removal to z" . Note that the transformation z" — H(z') insures that 
p can have a value larger than the attacker’s public modulus. The reason for 
encrypting mod P using G is to take advantage of the pseudo-randomness 
and to avoid the overhead of excessive modular arithmetic, the amount of which 
is dictated by the prime number theorem. Hence, this step is essential to ensure 
a good probability of finding a valid p and q. We implemented the strong setup 
for RSA. See the appendix for an analysis of its performance. 

We would like to briefly add that the setup attacks on DSA and Kerberos 
given in [YY96] can be readily modified to become strong setups. This can 
be accomplished by leaking probabilistic public key encrypted data, where the 
PERM has been applied to the ciphertext that results from the probabilistic 
encryption. The probabilistic encryptions prevent the user from detecting the 
contamination by re-encrypting the secret information (which he knows) and 
comparing. 

5.1 Security of Strong RSA Key Setup 

Ey making certain reasonable cryptographic assumptions, the values for p and 
q that are chosen by PAP are random. 

Lemma 5. Assuming that p and the upper order bits [U] of [U][RND] are ran- 
dom, q is random in the set of M -hit primes. 

Claim 5 Assuming the design of PAP is publicly available, the output of C and 
C' are polynomially indistinguishable. 

Proof. PAP does not make its choices of exponents c\ known. Hence, Claim 2 
applies, and PAP is secure iff the DH problem is hard. Clearly the upper order 
bits [U] are chosen randomly in PAP. Since p is found from the strong one- 
way hash (and pseudo-random function [GGM86]) of z' , it follows from lemma 5 
that the probability distributions of C and C' are polynomially indistinguishable. 
QED. 




73 



It follows that 

Theorem 3 RSA has a strong setup as long as the DH problem is hard. 

As a side note, this setup can be modified to accommodate the generation of 
strong primes. 

6 Conclusion 

We found kleptographic attacks against systems that do not have explicit sub- 
liminal channels. The stealing was made more effective by repetitive correlated 
usage, and by increasing the leakage bandwidth through chaining. It was demon- 
strated that repeated use of a cryptosystem may generate “implicit channels” 
for attacks. Chaining, in turn, increases the applicability of stealing via SETUP 
mechanisms. We also refined and strengthened the notion of SETUP attacks. 

A cknowledgment s : 

We would like to acknowledge Jo Schueth for pointing out the statistical attack 
on the RSA key setup and Hari Sundaram for improving the efficiency of the 
PERM recovery algorithm. 



References 

[Des90] Yvo Desmedt. Abuses in Cryptography and How to Fight Them. In Advances 
in Cryptology — CRYPTO ’88, pages 375-389, Berlin, 1990. Springer-Verlag. 

[DH76] W. Diffie, M. Heilman. New Directions in Cryptography. In IEEE Trans, on 
Information Theory, 22(6), pages 644-654, 1976. 

[E1G85] T. ElGam<d. A Public-Key Cryptosystem and a Signature Scheme Based on 
Discrete Logarithms. In Advances in Cryptology — CRYPTO ’84, pages 10-18, 
Berlin, 1985. Springer-Verlag. 

[GGM86] O. Goldreich, S. Goldwasser, and S. Micali, How to Construct Random 
Functions. J. of the ACM, 33(4), pp 210-217, 1986. 

[GM84] S. Goldw 2 isser and S. Micali, Probabilistic Encryption. J. Comp. Sys. Set. 28, 
pp 270-299, 1984. 

[KL95] J. Kilian and F.T. Leighton. Fair Cryptosystems Revisited. In Advances in 
Cryptology — CRYPTO ’95, pages 208-221, Berlin, 1995. Springer-Verlag. 

[RSA78] R. Rivest, A. Shamir, L. Adleman. A method for obtaining Digital Signatures 
and Public-Key Cryptosystems. In Communications of the ACM, volume 21, 
n. 2, pages 120-126, 1978. 

[Sch] Jo Schueth, public communication (sci.crypt). 

[Sim85] G. J. Simmons. The Subliminal Channel and Digital Signatures. In Advances 
in Cryptology — EUROCRYPT pages 51-57, Berlin, 1985. Springer-Verlag. 

[Sim94] G. J. Simmons. Subliminal Channels: Past and Present. In European Trans, 
on Telecommunication, 5(4), 1994, pages 459-473. 

[YY96] A. Young, M. Yung. The Dark Side of Black-Box Cryptography. In Advances 
in Cryptology — CRYPTO ’96, pages 89-103, Springer-Verlag. 




74 



A Performance: Strong RSA SETUP 

We demonstrated the practicality of the attack by implementing it and noticing 
that it performs reasonably well (takes longer in general but sometimes it is 
faster than a comparable setup-free version). 

Our program was written in ANSI C and was linked with the GNU MP library 
version 1.3.2. Our program generates a 512 bit RSA public/private key pair using 
the strong setup mechanism described in this paper. Our implementation uses 
truerand of D. Mitchell and M. Blaze as a source of true randomness (it is part of 
AT&T CryptoLib by J. Lacy, D. Mitchell, W. Schell). These physically random 
values are used as seeds for a pseudo-random number generator. We chose to use 
Wheeler and Needham’s TEA as our pseudo-random function (any other block 
cipher like DES will do) . We used the probabilistic primality test from Knuth 
to test the random values. We chose Bi equal to 256. The value for B 2 was also 
256. 



Table 1 

512 bit RSA key generation times in seconds 



Trial 


SETUP gen 


SETUP deer 


1 


404 


93 


2 


35 


15 


3 


63 


52 


4 


104 


120 


5 


17 


176 


6 


150 


262 


7 


172 


131 


8 


334 


153 


9 


132 


264 


10 


133 


116 


Average 


154.4 


138.2 



The SETUP gen column lists the SETUP key generation times. The SETUP 
deer column lists the amount of time required to derive a private key from 
the corresponding public key. We note that the times reported may potentially 
be decreased by doing the following. By simply hashing the pseudorandomly 
calculated value instead of applying the PERM and then hashing, it is likely 
that the key generation times would be shorter. This would of course be done 
at the expense of not suppling the hcish function with inputs that are uniformly 
distributed. What we see is variability in the timing; it may be possible therefore, 
to modify a system like PGP to contain a strong RSA SETUP mechanism such 
that it can’t be detected by noticing a “substantial” delay in the key generation 
times. 




Fast and Secure Immunization Against Adaptive 
Man-in-the-Middle Impersonation 



Ronald Cramer (ETH Zurich * ) and 
Ivan Damgard (Aarhus University ** & BRIGS * * * ) 



Abstract. We present a simple method for constructing identification 
schemes resilient against impersonation and man-in-the-middle attacks. 
Though zero-knowledge or witness hiding protocols are known to with- 
stand attacks of the first kind, all such protocols previously proposed 
suffer from a weakness observed by Bengio et al. : a malicious verifier 
may simply act as a moderator between the prover and yet another ver- 
ifier, thus enabling the malicious verifier to pass as the prover. 

We exhibit a general class of identification schemes that can be effi- 
ciently etnd securely tranformed into identification schemes withstanding 
an adaptive man-in-the-middle attacker. The complexity of the resulting 
(witness hiding) schemes is roughly twice that of the originals. Basic 2 illy, 
any three-move, public coin identification scheme that is zero knowledge 
against the honest verifier and that is secure against passive imperson- 
ation attacks, is eligible for our transformation. This indicates that we 
need only seemlingly weak cryptographic intractability assumptions to 
construct a practical identification scheme resisting adative man-in-the- 
middle impersonation attacks. Moreover, the required primitive protocols 
can efficiently be constructed under the factoring or discrete logarithm 
assumptions. 



1 Introduction 

An (public key) identification scheme (see for instance [9]) is an (interactive) 
protocol by means of which one party (the prover) proves its identity to an- 
other party (the verifier). Securing log-in procedures is a main application of 
such schemes. An identification scheme consists of an algorithm to generate 
public-key /private- key pairs, and a protocol for the prover and the verifier. The 
collection of eligible key-pairs is chosen such that it is infeasible to compute a 
corresponding private key when only the public key is observed. Typically, the 
protocol’s purpose is to show that the prover “knows” the private key that cor- 
responds to the prover’b public key. Most known identification schemes take the 

* Inst, for Theoretical Comp. Sc., ETH Zurich, CH-8092 Zurich, Switzerland. Email: 
cramer0inf.ethz.ch. Research done while employed at CWI, Amsterdam, The 
Netherlands. 

** Maths. & Comp. Sc. Dept., Ny Munkegade, Aarhus, Denmark. Email: 
ivein0daimi . aau . dk 

* * * Basic Research in Computer Science, Center of the Danish National Research 
Foundation 



W. Fumy (Ed.): Advances in Cryptology - EUROCRYPT ’97, LNCS 1233, pp. 75-87, 1997. 
© Springer-Verlag Berlin Fleidelberg 1997 




76 



form of three move interactive where the verifier is required to send a random 
bitstring as a challenge. For such methods to be secure, the verifier must not be 
able to extract this private key from the prover. Formally, this notion of security 
is captured by considering adaptive impersonation attacks. The (probabilistic 
polynomial time) attacker is given a prover, who has access to a key-pair as 
produced by the key-generation algorithm, as a black-box. Thus, the attacker 
only sees the prover ’s outputs as dictated by the identification protocol and not 
any of its internal coinflips, private inputs, etc. Next, the attacker is allowed to 
query the black-box a polynomial number of times, playing the role of a (mali- 
cious) verifier. This means that the attanker is allowed to choose the challenges 
in any way thought suitable to extract information about the private key. In 
particular, the choice of any next challenge may depend on the entire history 
of the attack and public key. Next, the attacker is denied any further access to 
this black-box prover. The identification scheme is called secure against adaptive 
impersonation attacks if the attacker is still unable to impersonate the prover 
(execute the prover ’s part of the protocol, facing an honest verifier). 

In [4] a weakness of identification schemes proposed until then was exposed. 
There, the authors explained how a malicious man-in-the-middle V may abuse 
his conversations with an honest prover P to misrepresent himself as P to yet 
another verifier V . The attack is not by cryptographic ingenuity. But, simply 
pretending to be a verifier himself, V actually forwards I^’s challenges to P and 
forwards P’s replies to V . Thus, while P is under the impression that he is 
identifying himself to V, he is actually identifying himself to V, to the possible 
advantage of V. A remedy suggested in [4] has the prover and verifier (rather 
the devices that represent them) isolate themselves physically from the outside 
world. A Faraday’s cage could be a suitable implementation. However, for iden- 
tification over networks, for instance, this measure seems not to be useful. 

We present a simple method to construct identification schemes resilient against 
adaptive impersonation and man-in-the-middle attacks. Though zero-knowledge 
[13] or witness hiding protocols [10] are known to withstand attacks of the first 
kind, all such protocols previously proposed suffer from the weakness observed by 
Bengio e.a. [4], since a malicious verifier may simply act as a moderator between 
the prover and yet another verifier, thus enabling the malicious verifier to pass as 
the prover. Using a three-move public coin protocol that is collision intractable 
(without knowing the private key, it is infeasible to pass the protocol) and hon- 
est verifier zero knowledge we build a witness-hiding identification scheme that 
differs from previous proposals in that an execution of a given proof of identity 
can only be unambiguously appreciated by the intended verifier. This is achieved 
by having the prover direct the protocol to the intended verifier’s public key. It 
is consequently shown that resilience against man-in-the-middle-attacks follows 
from this approach. Note that the required primitive protocol corresponds to an 
identification scheme secure against passive impersonation and honest verifiers. 
Directing a proof to an intended verifier has been considered by other researchers 
in a different context, as we will explain later. Our contribution is to provide a 
general, secure and efficient immunization against adaptive man-in-the-middle 




77 



impersonation attacks in identification schemes. Furthermore, we want the im- 
munization to work even if the the orginal identification scheme satisfies only 
weak security properties. 

Example schemes that satisfy our requirements include Schnorr’s scheme based 
on discrete logarithms [18] or Guillou-Quisquater’s scheme based on RSA [15]. 
But more generally, any one-way group homomorphism or any pair of claw-free 
trapdoor permutations gives rise to the desired building block. If we would take, 
for example, Schnorr’s scheme [18] as input to our constructions, the resulting 
identification scheme would have twice the complexity (in terms of computation 
and communication) of [18]. But we are then able to prove that our scheme 
is witness-hiding and resilient against man-in-the-middle attacks if computing 
discrete logarithms is hard. 

Conceptually, our method to disable man-in-the-middle attacks is as follows. Let 
X and Y be two players, where X wishes to identify himself to Y. Suppose now 
that we have an efficient method by which X could take E’s public key, and his 
own key-pair (his public key and secret key), and securely prove the statement 
“I know X’s secret key or I know F’s secret key”. If this protocol is witness 
indistinguishable (no information is released as to which is the case), only Y can 
be sure he is talking to X rather than anyone else. For, any other verifier Z 
would only know that he is talking to X or Y. Thus, if X directs his proof to Y 
as outlined above, the proof is unambiguous only to Y. 

So why would this help against man-in-the-middle attacks? By the symmetry 
of the statement proved and by the asserted witness-indistinguishability of the 
proof, if Y could abuse his conversation with X to pass as X at Z as the man- 
in-the-middle would do, he must be able to do so without talking to X. Thus the 
man-in-the-middle attack reduces to a cryptographic attack. But now we invoke 
the witness-indistinguishability again to show that if T’s attack would succeed, 
he could compute X’s secret key. This then contradicts our assumption that it 
is hard to compute the secret key from a random public key. We stress that this 
approach makes sense only if the keys are sufficiently indepedently generated. 
In the extreme case that two verifier keys are identical, it is clear that man-in- 
the-middle attacks are still feasible. More generally, a proof of security will fail 
if there is dependendence among these keys: if one is chosen as a clever function 
of the other (such as a random and secret power of a given key based on discrete 
logarithms), proof given to one verifier may still be “diverted” to another verifier. 
In Sections 6 and 7 we discuss this matter in detail and give examples of how 
proper key-generation can be enforced. 

We note that the same basic idea of proving one of two statements in order 
to direct a proof to one specific verifier was found independently by Jacobson, 
Impagliazzo and Sako in [16]. Their main motivation was to make undeniable 
signature schemes more secure and non-interactive. Their method for building 
a verifier designated protocol uses a trapdoor bit commitment scheme. In com- 
parison, our method shows that if you start with a protocol of a certain form, 
then a separate trapdoor bit commitment is not needed. On the other hand. 




78 



their methods works for some protocols that are not of the form we consider. We 
also note that, in a different context, Chaum [5] proposed using trapdoor com- 
mitment schemes to ensure that only a particular verifier can appreciate a given 
proof. Dolev, Dwork and Naor [8] have introduced non-malleable cryptography, 
a theoretical primitive that includes prevention of man-in-the-middle attacks in 
a number of scenarios, and have proposed protocols that work under general 
cryptographic assumptions. 

It is not so much the concept explained above that we advocate as the most 
significant contribution here. We would like to stress that the concept has been 
applied implicitly before, prior to [16]. [16] is the first paper applying the ideas 
to verifier-directed proofs, however. We know of at least one example, namely 
the protocol of Feige and Shamir [12] for bounded round general zero knowledge 
proofs. There, the prover commits to a witness for the NP-statement to be proved 
using an unconditionally hiding trapdoor commitment scheme, an instance of 
which is generated by the verifier. Indeed, the proof conducted there can be seen 
as showing that the NP-statement is true, or that the prover knows the verifier’s 
trapdoor! To get the designated verifier proofs for general languages, postulated 
in [16] but not given, we can use the result of [12] and make sure that verifiers’ 
instances of the trapdoor commitment scheme are independently generated. 

In our setting, we restrict ourselves to the problem of identification, and at- 
tempt to formulate a very efficient solution to the problem of identification in 
the presence of an adaptive man-in-the-middle attacker. Moreover, we are only 
interested in solutions that allow for some well-defined and accepted crypto- 
graphic intractability assumption to be reduced to the security of the identifica- 
tion scheme. 

It is interesting to note that our results apply to a general class of identification 
schemes which in their normal mode of operation need only satisfy seemingly 
weak security properties. Namely, zero knowledge with respect to the honest 
verifier and collision intractability (that is, the scheme is secure against passive 
impersonation attacks). As a result of our simple and efficient transformation, 
we obtain the required security level, namely security against adaptive man-in- 
the-middle attackers. 

Technically speaking, our approach is close to the ones taken in [7,6]. However, 
it is not clear from those papers (which may partly be seen as investigations into 
witness hiding) how we can efficiently obtain security against adaptive man- 
in-the-middle attackers in our context. Please note that such wcis neither clear 
from [16], since there the focus is on undeniable signatures. Although it appears 
to be true that their approach using trapdoor bitcommitments has a wider ap- 
plicability than that, their approach does not indicate that immunization of 
an identification scheme against man-in-the-middle attackers, can be done effi- 
ciently and securely even if the given scheme is only weakly secure in normed 
mode of operation, as we discussed above. 

Please note that digital signatures also lead to identification schemes secure 
against impersonation and man-in-the middle attacks. The prover would simply 




79 



sign a message consisting of the concatenation of a random challenge (supplied by 
the verifier) and the verifier’s public key. Although we feel that our schemes could 
compare favorably in terms of practical value to even such solutions, we like to 
point out that we aim for a practical identification scheme that is proven secure if 
some standard cryptographic intractability assumption holds. Seen in this light, 
digital signatures, for example, with such proven security, i.e. signatures secure 
against adaptively chosen message attacks, still come at too high a price in this 
context. Nevertheless, it may be reasonable here to use them for key-certification. 
Note that in this signature based approach, the prover (in this case the signer) 
leaves a trace; the verifier can later prove to a third party that he talked to 
the prover. In some cases this is undesirable as it might damage the privacy of 
the prover. This problem is not present in our approach; because the verifier 
could (using his own secret key) simulate the protocol perfectly, he cannot use 
a transcript of the protocol to convince a third party. 

If one aims at practical value and proven security (relative to a plausible assump- 
tion), it may be true that our proposal for identification schemes secure against 
impersonation and man-in-the-middle attacks comes close to what one could 
reasonably achieve in this area, due to its conceptual simplicity and efficient 
implementation. 

This work is organized as follows. First, we define a general class of “weak” 
identification schemes in Section 2, to be used later as the building block for our 
transformation. The existence of our building blocks is discussed in Section 5. 
The main result and its proof of security are given in Sections 3 and 4. Sec- 
tion 6 discusses in detail the key- generation requirements. Finally, we give an 
application to access- control in Section 7. 

2 Model 

We define the basic ingredients to our results. 



17-Protocols Let (A,B) be a three move protocol where the prover A speaJcs 
first. The verifier B is required to send random bits only. A and B are proba- 
bilistic polynomial time (PPT) machines. The protocol {A, B) resembles a proof 
of knowledge for a binary relation R (see for instance [9] for details), in that the 
prover can always make the verifier accept on common input x, if the prover 
knows w such that (x,w) 6 R. By running (probabilistic) polynomial time al- 
gorithm a(-) on X and his secret witness w, the prover A computes his initial 
message a. After having received the initial message, the verifier B chooses a 
bitstring c £ {0, uniformly at random, and sends it as a challenge to A. 
The challenge length ts is assumed to depend only on the binary length of the 
common input x (and the protocol (A,B) of course). The prover completes the 
conversation by running (probabilistic) polynomial time algorithm z{-) on x, w, 
a, c, thereby possibly re-using the random bits used in the computation of the 
initial message. The resulting response 2 is submitted to the verifier. By invoking 




80 



the (probabilistic) polynomial time procedure 4>, the verifier tests the validity of 
the conversation. We call such a protocol (^4, B) with the properties described 
above a 17-protocol ^ for relation R. 

Furthermore, we introduce the following terminology and notation. A sequence 
(x, a, c, z) is called an accepting conversation if and only if (j)(x, a, c, z) = accept. 
A pair of accepting conversations (x, a, c, z) and (x, a, c', z') with c 7 ^ c', is called 
a collision. When a verifier B follows the protocol, i.e. chooses the challenge 
indeed at random, that verifier is called honest. For an arbitrary prover A*, 
(A*,B) denotes the interaction between A* and the honest verifier B, on some 
given common input. 



Required Security Properties First, we need the protocol to satisfy a weak 
form of knowledge-soundness. 

Definition 1. Let A; be a security parameter for protocol (A,B). Suppose we 
are given a PPT generator G for relation R that on input 1* produces (x, in) £ R, 
such that no PPT algorithm E, given x as input, can generate two accepting 
conversations (a, c, r), (o, c',r') with c 7 ^ o' (a “collision for x”), except with 
negligible probability of success (probability taken over the coinflips of E and 
G). Then (A, B) is called collision intractable over G. 

Note that we don’t require that a witness can be extracted from a successful 
prover. Thus, the protocol need not be a proof of knowledge. The property 
implies that, given as input a random instance x only, it is infeasible to construct 
a successful prover for that instance. In particular it follows from our assumptions 
that it must be hard to compute a witness w from a given x (when x is generated 
according to G'). By a standard rewinding argument (see Bellare and Goldreich 
[3]), we have the following. 

Proposition 2. Let a E -protocol (A,B) for relation R be given, and let x € 
{0,1}*. Suppose that A* is an arbitrary PPT prover such that {A*,B) succeeds 
with probability e, on common input x. Let Ta-{x) be A* ’s running time and 
suppose that e > 1/2*®. Then there exists a probabilistic algorithm Ext that 
outputs two accepting conversations x,a,c,z and x,a,d,z' with c^ c' (that is, 
a collision), with expected running time polynomial in Ta- (x) and l/(e — 1/2*®). 
Ext is allowed to run A* as a rewindable blackbox. The probability is taken over 
the coin tosses of Ext and A*. 

Next, we will assume the protocol (A,B) to be honest verifier zero-knowledge, 
that is, we only demand that conversations with the honest verifier can be sim- 
ulated (perfectly). 



* Of course, there is nothing new about three move, public coin protocols as such in 
cryptography, but we have decided to give them a name, derived from zig-zag and 
Merlin-Artur (see [2]) 




81 



Definition 3. Let (x,w) 6 E. Let a prover A and a verifier B execute (A, J5), 
both following the protocol. Let x be the common input and let w be private 
input to the prover. Suppose we are given a probabilistic polynomial time algo- 
rithm M with the following properties. 

1. On input x, M outputs an accepting conversation. 

2. The distribution of the conversations generated by A and B is equal to M (x). 
Then (A,B) is said to satisfy honest verifier zero knowledge, with simulator M. 



Relation with Identification Schemes We can view a T'-protocol {A, B) for 
relation i? as an identification scheme by identifying a public/private key-pair 
with a pair (x, w) € R, as generated by some given generator G. 

It is easy to see that such a protocol constitutes an identification scheme secure 
against passive attacks, if {A, B) is collision-intractable over G and if the length 
ts of the challenges is large enough, say linear in the security parameter. Indeed, 
by Proposition 2, we can extract collisions with non-negligible probability from 
a passive attacker (that is, one which is given the public x only) having non- 
negligible probability of success. But this would contradict our assumption that 
(A, B) is collision-intractable over G. 

Adding honest verifier zero knowledge to our requirements, makes sure that the 
resulting scheme is secure against random challenge atacks. By this we mean 
that even an attacker which is allowed to query a prover on random challenges, 
cannot later pose as that prover. Note that we use here the previous observation 
that collision-intractability implies security against passive attacks. 

Security against adaptive attacks means that even though the attacker is allowed 
to query a prover on any challenge of his choice and in an adaptive fashion, it 
can still not later pose as that prover. This is basically the notion of security 
from [11]. 

The adaptive man-in-the-middle attacker, is one which has “adaptive access” 
to a prover X as well. Additionally however, the attacker is allowed to pose as 
any verifier Y out of a given set V of verifiers, and have X identify itself to 
this verifier. The attacker’s goal is to make an honest verifier Y , with Y ^V, 
accept X, possibly running executions of X’s identification to any Y £ V on- 
line. If this is infeasible for any PPT attacker, we say that the identification 
scheme is secure against adaptive man-in-the-middle impersonation. Note that 
our definition combines the notions of security from Feige et al. [11] and Bengio 
et al. [4] . 

Our purpose is to transform identification schemes that are only secure against 
random challenge attacks into ones that withstand even adaptive man-in-the- 
middle impersonation, which seems to be the most desirable security level for 
public key identification schemes. 




82 



3 Main Result 

Let (A, B) be a collision-intractable i7-protocol for relation R and generator G. 
Suppose that (A,B) is honest verifier zero-knowledge, with simulator M, and 
that the challenge length tg is linear in the security parameter k. Thus, by the re- 
marks above, (A,B) constitutes an identification scheme secure against random 
challenge attacks. Our purpose is to transform {A, B) into a new identification 
scheme which is secure against adaptive man-in-the middle impersonation. This 
transformation works as follows. 



Key Generation A keypair [x,w) 6 R, consisting of a public key x and a 
secret key w, for participant X is generated as 

(x, w) G(l*‘) 

for an appropriate security parameter k. The public key x is placed in A"’s public 
directory. The secret key w is held privately. 

Identification of X to K Here, participant X will identify itselfto participant 
y. Let their respective public keys be x and y, and let X’s secret key be w. The 
claimed identification protocol runs as follows. 

Move 1: X computes a <- o(x, w) and (6, d, s) f- M{y). Then X sends the pair 
(a, b) to Y. 

Move 2: Y selects C uniformly at random from {0, and sends C as a 
challenge to X. 

Move 3: X puts c <- C0d and computes z z{x, w, a, c), and sends z, d, s to Y. 

7 

Finally, Y checks the conversation by verifying whether a,C ® d,z) = 

7 

accept and </>(?/, 6, d, s) = accept. If these verifications are satisfied, X is 
accepted by Y. 

Please note that the secret key of the verifier Y is not used during the identifi- 
cation. One can imagine a scenario where the set of provers is disjoint from the 
set of verifiers. In this case, no storage of secret data is required at the verifier’s 
side. 

Prom a technical point of view the protocol above is quite similar to that given 
in Corollary 13 from [7] (while collision-intractability and honest verifier zero 
knowledge as a building block is taken from [6]). That result may be viewed as a 
way to transform identification schemes secure against random challenge attacks 
into ones that withstand adaptive challenge attacks only. 

The cryptographic assumptions needed here are potentially weaker. But most 
importantly, here we show how the protocol from Corollary 13 [7] can be “re- 
arranged” so as to withstand even man-in-the-middle attackers. Thus from the 
point of view of functionality, the protocol presented here is superior. Another 
difference is that here the length of the public key is invariant under the trans- 
formation. 




83 



4 Security Analysis 

We give proof of security under the assumption that the participants’ keys are 
generated as prescribed in the Key Generation protocol. In Section 6 we explain 
in detail why this assumption is needed and we also propose ways of enforcing 
this. An application where this condition is satisfied in a natural way is presented 
in Section 7. 

Before we give the proof, we ’d like to point out that an execution of the protocol 
from Section 3 leaves no trace, in the sense that a verifier Y cannot later prove 
to a third that X identified itself to Y earlier. This follows from the symmetry 
of the protocol: Y can generate the conversations of the identification of X to K 
with exactly the same distribution on its own. 

Theorem 4. Let {A, B) he a collision intractable, honest verifier zero knowledge 
S-protocol for relation R and generator G. Assume that the challenge length ts 
is linear in the security parameter k. Then the identification scheme based on 
{A, B) from Section 3 is secure against adaptive man-in-the-middle imperson- 
ation. 

Proof The idea is as follows. First we generate public key x' according to G, 
and discard the corresponding secret key. We show that, if the protocol were 
not witness hiding or were not resilient against man-in-the-middle attacks, there 
exists an efficient algorithm that takes x' as input and outputs a collision for 
x' in the protocol (A,B). But this would then contradict (A, B)’s collision- 
intractability. 

The following game is easily be seen as modelling the situation. Let m be 
polynomial in the security parameter k. We generate m public keys with known 
secret keys by running G m times. We flip a coin b. If b = 0, then we put 
x <r- x' and assign the m key pairs to Fi . . . Fm. If 6 = 1, we select j at ran- 
dom from m}, and put pj t— x' , and assign the m key pairs to X, 

Y,,...,Yj_uYi+u...Ym. 

The game consists of two stages. 

1. The attacker gets the following prover as a black-box. We define P as the 
prover who gets x and all public keys pi as input, plus the secret keys as gen- 
erated above. P can perform the identification protocol for all pairs {x,pi). 
The attacker is allowed to play with P (as a blackbox, but not rewindable) 
for a polynomial amount of time. Then, the attacker gives us a number 
j' £ {1, . . . , n}, and hands back P. This models the idea that before the real 
attack, the attacker may try to extract as much information as needed for 
winning in the second stage. 

2. With probability (m + l)/(2m), the attacker chose j' = j such that P was 
not given the secret key for pj in the beginning or was not given the secret key 
for X. Let’s assume that this event happens (If not, we re-run the previous 
stage). Next, the attacker gets as input the secret keys for all public keys 
Pi with i ^ j. This models the idea that (possibly via a man-in-the-middle 




84 



attack), the attacker tries to pass as X to any other verifier intended by X. 
To make the proof easier, we just give the attacker the secret keys which 
allow him to perfectly simulate X's behaviour at any other site than Yj, 
rather than giving him X as a blackbox: if he can’t do it with the secret 
keys, than he certainly can’t when he is given X as a blackbox who only 
identifies himself at Yi with i ^ j. The attacker wins the game, if he can 
pass the protocol against the honest verifier on input {x,yj). 

Let’s assume that the attacker won with probability e > 2”*® (recall that fs 
is assumed to be of linear size in k). Then, by Proposition 2, we can extract a 
collsion for yj or for x from the attacker (running it as a rewindable blackbox) 
with expected time polynomial in the running time of the attacker and l/(e — 
1/2*®). Thus, if e is non-negligible, then we can extract a collision from the 
attacker in expected polynomial time. But, this is a collision for key x' with 
probability 1/2, since the attacker cannot distinguish between the cases 6 = 0 
and 6 = 1 by witness indistinguishability of the protocol (which follows by the 
properties of the simulator M). This contradicts the assumption that (A,B) is 
collision-intractable over G. 

5 Existence 

The following theorem can be derived from the results in [6], and gives an indi- 
cation of the generality of our primitive. 

Theorem 5. Suppose that a family of claw-free pairs of trapdoor permutations 
exists, or that a family of one-way group homomorphisms exists. Then there 
exists a E-protocol for relation R, with generator G, that is collision-intractable 
and honest verifier zero knowledge and that has a challenge length linear in the 
security parameter. 

If based on claw-free pairs of trapdoor permutations, we can always efficientlyen- 
force the challenge length of {A, B) to be linear in the security parameter, while 
keeping the size of the initial message, the reply and the length of the common 
string constant in length. For one-way group homomorphisms, we can do some- 
thing similar, under the condition that for each such homomorphism /, there 
exists a (large) prime v with the following property: for each y in the range of /, 
it is easy to compute a preimage x of (using multiplicative notation for the 
group operation in the range) . Two important examples of such families of one- 
way group homomorphisms can be constructed under the factoring and discrete 
logarithm assumptions. We give no further details of the general construction 
here. 

A particularly efficient implementation, for example, is obtained when (A,B), 
for instance, is Schnorr’s protocol [18] or Guillou-Quisquater’s [15]. The following 
example is based on Schnorr’s identification protocol. Let Gq be a group of prime 
order q such that computing discrete logarithms in Gg is hard. Let p be a fixed 
member of Gq. 




85 



Key Generation A keypair, consisting of a public key and a secret key, for 
participant X is generated as 

{x = g'",w) 

where w is chosen at random from Z,. The public key x is placed in X’s public 
directory. The secret key w is held privately. 



Identification of X to Y Here, participant X will identify itself to participant 
Y . Let their respective public keys be x and y, and let X’s secret key be w. 
The claimed identification protocol withstanding adaptive man-in-the-middle 
impersonation runs as follows. 

Move 1: X computes a and b <— where u, s and d are chosen at 

random from Z,. Then X sends the pair (a, b) to F. 

Move 2: Y selects C at random from Z, and sends C as a challenge to X. 
Move 3: X puts c t- C 4- d mod q and computes z ^ cw + u mod q, and sends 
2 , d, s to Y. Finally, Y checks whether g^ = ax'^ and g" = by'^, where c is 
defined as C + d mod q If these verifications are satisfied, X is accepted by 
F. 

6 A Note on Key-Generation 

Using our example based on discrete logarithms from Section 5, we explain why 
it is important that key-generation takes place as demanded; if key-generation is 
not taken care of as required, the following attack could be mounted against the 
scheme. Let’s assume that some malicious party F wishes to be accepted as any 
prover X by some verifier F. Let x and y denote their respective public keys. 

The attacker F proceeds by selecting a, € Z,, computing x <— and 

defining x as its public key. Whenever any prover X identifies itself to F, the 
latter can easily divert the communication to F and be accepted as X as follows: 

Move 1: Prover X identifies itself to F and the attacker F claims to be X 
to verifier F. The attacker F proceeds as follows. Receive a and b from 
X. Compute b Forward a and 6 to F. 

Move 2: Receive F’s challenge C, and forward it to X. 

Move 3: Receive X’s replies z, d and s. Compute s t- (s - ad)/0 mod q, and 

forward z, s and d to F, who checks that 5 ^ = ax^ and g‘ = by'^, where c is 
defined as (7 + d mod q. As a result, F is accepted as X by F. 



A simple way to enforce proper key-generation, is by having a trusted registration 
authority. This authority need only be active during registration of the public 
keys, and participants basically have to proof knowledge of their secret key before 
the public key can be registered. Some care must be taken however, because a 
man-in-the-middle attacker may also try to abuse an interactive key-generation 




86 



protocol for the purpose of later misrepresenting himself. One possible solution is 
the following. Let X be a participant who wishes tohave a public key registered. 
Then the authority computes g* o'" , where w' is chosen at random from 2,, 
and sends g» to X. Next, X chooses w" at random from 2 ^, computes x ^ g'^ 
and proves knowledge of w" with respect to g*, using a suitable interactive (zero- 
knowledge) protocol for instance. Finally, the authority registers a; as X’s public 
key and sends w' to X, who computes the secret key as w w'w" mod q. 

7 An Application 

In this section, we give an example where the conditions on key-generation are 
satisfied in a natural way. Imagine an organization with m sites to which re- 
stricted access is applicable. Some n officials are granted access to some of these 
sites. When an accessor presents himself at one of these sites, his access rights are 
checked by verifying his identity. These sites may vary from buildings, specific 
sections of buildings, or even databases or computer systems. The organization 
keeps a central list of the identities of the officials and their specific access rights. 
It is assumed that each site has access to this list, either by having a copy of the 
list at hand, or by consulting the central database. 

Let Xi,. . . , X„ be the collection of participants. The collection of sites with 
restricted access is denoted The organization generates a keyset 

{xi,Wi) for each participant Xi, as described in the Key Generation protocol 
in Section 3. Each participant Xi is given a tamperresistant smartcard Si, ca- 
pable of performing our protocols. The keyset is securely loaded into the cards. 
Now, for each site Yj, the organization generates a keyset {yj,Vj). The secret 
key Vj is destroyed. We assume that each site is represented too by some device 
capable of performing the protocols. For each site, the organization prepares a 
list of the public keys of the officials that are granted access to this site. This 
list is made available to the site. Please note that the devices for the sites need 
not store any secret information. One only has to make sure that the data they 
store is authentic and cannot be modified by unauthorized parties. 

When participant Xi wishes to exercise his right of access to site Yj, he lets 
his smartcard simply perform the identification protocol with site Yj as the 
verifier, on common input (xi,yj). By the security properties of the identification 
scheme, the resulting protocol is secure against adaptive impersonation attacks, 
but furthermore, no adversary can by means of a man-in-the-middle attack, 
divert the communication to a different site Yt, and pass there as Xi, even if Xi 
has the right of access at site Yt. 



References 

1. M. Abadi, E. Allender, A. Broder, J. Peigenbaum and L. Hemachandra: On 
Generating Solved Instances of Computational Problems, Proceedings of Crypto 
’88, Springer Verlag LNCS, vol. 403, pp. 297-310. 




87 



2. L. Babai and S. Moran: Arthur - Merlin Games: A Randomized Proof System 
and a Hierarchy of Complexity Classes, JCSS, vol. 36, pp. 254-276, 1988. 

3. M. Bellaxe and O. Goldreich: On Defining Proofs of Knowledge, Proceedings of 
Crypto ’92, Springer Verlag LNCS, vol. 740, pp. 390-420. 

4. S. Bengio, G. Brassard, Y. Desmedt, C. Goutier and J.J. Quisquater: Secure 
Implementation of Identification Systems, Journal of Cryptology, 1991 (4): 175- 
183. 

5. D. Chaum: Provcrs Can Limit the Number of Verifiers, unpublished. 

6. R. Cramer and I. Damgard: Secure Signature Schemes based on Interactive 
Protocols, Proceedings of Crypto ’95, Springer Verlag LNCS, vol. 963, pp. 297- 
310. 

7. R. Cramer, I. Damgard and B. Schoenmakers: Proofs of Pariial Knowledge 
and Simplified Design of Witness Hiding Protocols, Proceedings of Crypto ’94, 
Springer verlag LNCS, vol. 839, pp. 174-187. 

8. D. Dolev, C. Dwork and M. Naor; N on-malleable cryptography, Proceedings of 
STOC ’91, pp. 542-552. 

9. A. Fiat and A. Shamir: How to Prove Yourself: Practical Solutions to Iden- 
tification and Signature Problems, Proceedings of Crypto ’86, Springer Verlag 
LNCS, vol. 263, pp. 186-194 

10. U. Feige, A. Shamir: Witness Indistinguishable and Witness Hiding Protocols, 
Proceedings of STOC ’90, pp. 416-426. 

11. U. Feige, A. Fiat and A. Shamir: Zero- Knowledge Proofs of Identity, Journal 
of Cryptology 1 (1988) 77-94. 

12. U. Feige and A. Shamir: Zero-Knowledge Proofs of Knowledge in Two Rounds, 
Proceedings of Crypto ’89, Springer Verlag LNCS, vol. 435, pp. 526-544. 

13. S. Goldwasser, S. Micali and C. Rackoff: The Knowledge Complexity of Inter- 
active Proof Systems, SIAM J. Computing, Vol. 18, pp. 186-208, 1989. 

14. Efficient Identification Schemes Secure against Impersonation and Man-in-the- 
Middle Attacks, preprint, October 1995. 

15. L. Guillou, J.J. Quisquater: A Practical Zero-Knowledge Protocol fitted to Se- 
curity Microprocessor Minimizing both Transmission and Memory, Proceedings 
of Eurocrypt ’88, Springer Verlag LNCS, vol. 330, pp. 123-128. 

16. M. Jacobson, R. Impagliazzo and K. Sako: Designated Verifier Proofs and their 
Applications, Proc. of Eurocrypt ’96, Springer Verlag LNCS, vol. 1070, pp. 
143-154. 

17. T. Okamoto: Provably Secure and Practical Identification Schemes and Corre- 
sponding Signature Schemes, Proceedings of Crypto ’92, Springer Verlag LNCS, 
vol. 740, pp. 31-53. 

IS. C. P. Schnorr: Efficient Signature Generation by Smart Cards, Journal of Cryp- 
tology, 4 (3): 161-174, 1991. 




Anonymous Fingerprinting 



Birgit Pfitzmann' *, Michael Waidner^ 

* Universitat Dortmund, Informatik 6, D-44221 Dortmund, Germany; 
email pfitzb@ls6.informatik.uni-dortmund.de 
^ IBM Zurich Research Laboratory, Saumerslrasse 4, CH-8803 Riischlikon, Switzerland; 
email wmi@zurich.ibm.com 



Abstract. Fingerprinting schemes deter people from illegally redistributing digital data by 
enabling the original merchant of the data to identify the original buyer of a redistributed copy. 
Recently, asymmetric fingerprinting schemes were introduced. Here, only the buyer knows the 
fingerprinted copy after a sale, and if the merchant finds this copy somewhere, he obtains a 
proof that it was the copy of this particular buyer. 

A problem with all previous fingerprinting schemes arises in the context of electronic 
marketplaces where untraceable electronic cash offers buyers privacy similar to that when 
buying books or music in normal shops with normal cash. Now buyers would have to identify 
themselves solely for the purpose of fingerprinting. To remedy this, we introduce and 
construct anonymous asymmetric fingerprinting schemes, where buyers can buy information 
anonymously, but can nevertheless be identified if they redistribute this information illegally. 

A subresult of independent interest is an asymmetric fingerprinting protocol with rea- 
sonable collusion tolerance and 2-party trials, which have several practical advantages over the 
previous 3-party trials. Our results can also be applied to so-called traitor tracing, the equiva- 
lent of fingerprinting for broadcast encryption. 



1 Introduction 

Fingerprinting schemes are cryptologic mechanisms for the copyright protection of digital 
data. They do not rely on tamper-resistance, i.e., it is assumed that the buyers obtain the 
data digitally and can in principle copy them. Buyers who abuse this possibility by illegiti- 
mately redistributing the data are called traitors. Fingerprinting schemes discourage traitors 
by enabling the original merchant of the data to identify the traitor who originally bought the 
copy. 

1 . 1 Known Classes of Fingerprinting Schemes 

Conventional fingerprinting schemes, called symmetric here, essentially work as follows: 
The merchant prepares a slightly different “copy” of the data item for each buyer. If he finds 
a redistributed data item, he finds out to which of the copies sold it corresponds. This 
concept was introduced in [W83]. Examples of how one can make imperceptible differences 
in copies and more references can be found in [ZK95, BRD95, CKLS96]. Fingerprinting 
became a cryptologic topic with the problem of collusion tolerance; What if several traitors 
collude and compare their copies to find and then eliminate differences? This problem was 
first considered in [BMP86]; solutions that can tolerate larger collusions were presented in 
[BS95]. 



* The work of this author was done at the University of Hildesheim and supported by the DFG (German 
Research Foundation). 



W. Fumy (Ed.): Advances in Cryptology - EUROCRYPT ’97, LNCS 1233, pp. 88-102, 1997. 
© Springer- Verlag Berlin Heidelberg 1997 




89 



In these symmetric schemes, the merchant finds out the identity of a traitor, but cannot 
convince any third party of this treachery because he does not find anything in the 
redistributed copy that he could not have made up himself. In contrast, in asymmetric 
schemes, introduced in [PS96], the merchant obtains a proof of the treachery. For this, 
fingerprinting must be an interactive protocol between the buyer and the merchant where the 
buyer also inputs a secret and the merchant does not see the fingerprinted copy that this 
buyer obtains. Only if he finds this copy after a redistribution, he can extract the proof. The 
same collusion tolerance as in the symmetric schemes in [BS95] was achieved for 
asymmetric fingerprinting in [PW97, BM97]. 

So-called traitor tracing is the equivalent of fingerprinting for cryptologic keys. It was 
introduced in [CFN94] for broadcast encryption, i.e., for situations where the real data, 
e.g., a Pay-TV movie, are broadcast in encrypted form, and only the keys needed to decrypt 
the data are sold. Now a different personal key is sold to each buyer; the encryption scheme 
is adapted so that all the personal keys can be used to decrypt the same ciphertext. The 
schemes in [CFN94] already achieve good collusion tolerance. (Actually, these techniques 
were the basis for collusion-tolerant normal fingerprinting in [BS95].) Asymmetric traitor 
tracing, introduced in [P96], analogous to asymmetric fingerprinting, guarantees that the 
merchant obtains a proof of treachery if he finds a redistributed key. Reasonable collusion 
tolerance for asymmetric traitor tracing was also achieved in [PW97]. 

One type of scheme that so far only exists for traitor tracing [PW97], but not for normal 
fingerprinting, is an asymmetric scheme with reasonable collusion tolerance and 2-party 
trials. A 2-party trial means that the merchant can simply take his proof and convince any 
arbiter with it, whereas in a 3-party trial, the buyer also has to take part. One advantage of 
2-party trials is that one need not find the buyer to carry out the trial. However, this 
advantage is minor because in a real trial, the buyer would have to be notified anyway and 
non-technical points would have to be discussed, e.g., whether someone could have stolen 
the data item from an honest buyer. More importantly, in a 3-party trial, the buyer also still 
has to find some secrets, which means that she should not have forgotten the password 
needed to use them or died without leaving it to someone else. Additionally, one has to take 
care with multiple trials about the same data item because the buyer might have to divulge 
something about her secrets in each trial. Finally, 2-party trials are much easier to use as 
subprotocols in other schemes, as we will see below. 

1.2 Anonymous Fingerprinting 

Electronic marketplaces are supposed to offer similar privacy as current marketplaces. Thus 
it should be possible to buy cheap objects like books, pictures, and pieces of music anony- 
mously. This becomes even more important if one buys individual articles of what would 
have been a book or a magazine on paper because the choice of articles gives a lot of infor- 
mation about a person’s lifestyle, habits, etc. For such purposes, anonymous networks, 
anonymous cash-like payment systems, and even protocols for anonymous, but secure 
exchange of payment and goods exist, see, e.g., [C81, C85, BP90] for early examples and 
[B94] for an efficient anonymous off-line payment system with identification of double- 
spenders. 

It would be a pity if all this anonymity were destroyed just because the buyers had to 
identify themselves for the purpose of fingerprinting or traitor tracing. However, this unde- 




90 



sirable situation would occur with all previous symmetric and asymmetric fingerprinting 
schemes; The buyer has to identify herself for (key) fingerprinting during a purchase, and 
thus for each particular data item bought, e.g., one picture in fingerprinting or one Pay-TV 
movie in traitor tracing. 

The goal in this paper is therefore to carry out fingerprinting anonymously, but neverthe- 
less to enable the merchant to identify traitors later. This possibility of identification will 
only exist for traitors, whereas honest buyers will remain anonymous. All our schemes will 
be asymmetric, i.e., the merchant can also convince any third party that a particular person 
was a traitor. 

1.3 Our Results 

In Section 2, we introduce the exact model of anonymous fingerprinting and discuss some 
variants. In Section 3, we present a construction framework for anonymous fingerprinting 
that makes certain assumptions about an underlying fingerprinting scheme. In Section 4, we 
show how this framework can be instantiated with some existing fingerprinting and traitor 
tracing schemes, and why a gap remains. In Section 5, we fill this gap by constructing a 
scheme for collusion-tolerant asymmetric fingerprinting with 2-party trials, using Reed- 
Solomon-codes for low-rate error-and-erasure decoding. This scheme is of interest in its 
own right, too. The complexity of our constructions is still rather high; we mainly regard 
them as constructive proofs of existence. 

2 Precise Model 

We assume that at the start of our scheme, each buyer already has a key pair (skg, pk^) of a 
digital signature scheme, so that the public key can serve as a digital identity. Thus we can 
require a buyer to sign something under her identity in a protocol. 

For modularity, we also require buyers to register specifically for the fingerprinting 
scheme under their digital identity. This allows us to make the protocols of the finger- 
printing scheme concrete, without fixing how the validity of the initial digital identity is 
verified. In some situations, this registration could be joined with the initial establishment of 
the digital identity. The parties where registration can be done are called registration centers. 
A reasonable choice is the buyer’s bank, in particular if the fingerprinted data are paid with 
anonymous digital cash, because the buyer has to register with a bank anyway and will only 
be anonymous among this bank’s clients. We do not require the registration centers to be 
particularly trusted by any other party; in the strongest of our models, the only bad thing a 
registration center can successfully do is to refuse registration. 

Thus we have four types of parties: Merchants, buyers, registration centers, and arbiters 
who should be convinced in trials. Technically, the role of arbiter should not be restricted, 
i.e., it should be possible to convince anyone as long as they know a few specific public 
keys. We can still get quite a number of different definitions, depending on how active the 
registration centers and arbiters have to be, and whether the merchants and buyers have to 
trust the registration centers for any or many requirements. We are primarily interested in 
ciyptologic solutions with minimal tmst (where a cheating registration center can only refuse 
registration), but we also mention weaker models. 

We only present a detailed definition for fingerprinting schemes, not for traitor tracing. 
We follow the style of [PS96], but introduce somewhat less explicit notation for brevity. 




91 



Definition 1 (Components of anonymous fingerprinting). An anonymous 
fingerprinting scheme consists of seven protocols. Each interactive algorithm for a party in a 
protocol is polynomial-time and may be probabilistic, and it may produce an output failed to 
indicate that the protocol could not be finished in the normal way. Security parameters k for 
computational security, cr for error probabilities in information-theoretic properties, and 
colljsize for the maximum number of colluding traitors are common inputs. 

• Registration center key distribution: A registration center generates a key pair {sk/^(^, 
pkg(f), typically of an underlying signature scheme, and distributes pkj^c reliably to all 
merchants, arbiters, and the buyers that might register at this center. 

• Registration is a two-party protocol between a buyer and a registration center. The 
common inputs are the buyer’s digital identity pkg, the registration center’s public key 
pkgC’ 2 ud possibly an upper bound Ng on the number of purchases that the buyer can 
make based on one such registration. The registration center’s secret input is its secret 
key. We call the outputs the registration center’s and the buyer’s registration records. 

• Data initialization is an algorithm the merchant carries out for each data item to be sold. 
He inputs the data item and possibly an upper bound on the number of times he will 
sell it. (This protocol could be included into the first sale, i.e., the first execution of 
fingerprinting, but it is often useful to consider common precomputations separately.) 
The output is called the merchant’s initial data record. 

• Fingerprinting is a two-party protocol between a merchant and an anonymous buyer. 
The merchant secretly inputs the data item and the corresponding initial data record, and, 
not necessarily secretly, the public key of the registration center with whom the buyer 
registered. The buyer inputs her registration record or an update of it, and both input a 
common text that describes what this purchase is about. 

The output for the merchant is called a purchase record. The main output for the 
buyer is the fingerprinted data item; she may also obtain an update on her registration 
record (e.g., a purchase counter is increased and in schemes with 3-party trials, evidence 
is stored). 

• Identification is either an algorithm for the merchant alone or a two-party protocol 
between the merchant and the registration center. The merchant’s input is a redistributed 
data item whose original buyer he wants to identify, the original version of this data 
item, the initial data record, and all the purchase records for this data item. If the 
registration center takes part, its input is its registration records. 

The output for the merchant should be the identity of a buyer, the text used in the 
particular purchase, and another string called proof. 

• Enforced identification. For cases where the registration center is needed in identifica- 
tion, but refuses to cooperate, there must be a 3-party version of identification that 
includes an arbiter. The merchant should get the same outputs as in identification, and 
the arbiter either obtains the output ok or center_guilty, which denotes that the arbiter has 
noticed misbehavior by the registration center. 

• Trial is a two- to four-party protocol between at least the merchant and an arbiter, and 
possibly a buyer and a registration center. The common inputs are the identity of the 
accused buyer and the text denoting the disputed purchase. The merchant also inputs the 




92 



String proof obtained in identification. If the registration center takes part, it inputs the 
registration record of this buyer, and if the buyer takes part, she inputs her current 
updated registration record (typically just the evidence from the disputed purchase). 

The main output is the arbiter’s result. It may be guilty, which means that the arbiter 
finds the buyer a traitor, or not_guilty, which means that he rejects the accusation. In 
some systems, the output can also be center_guilty, which means that no decision 
between the merchant and the buyer could be reached because of wrong behaviour of the 
registration center. ♦ 

In the following, we describe the security requirements on such a scheme. All should also 
be fulfilled under active attacks. Generally, an active attack means that the attackers can 
influence the sequence of protocols the honest users carry out and the user inputs (e.g., the 
texts), obtain some outputs from the users (e.g., whether a protocol failed or not), and 
behave maliciously during the protocol executions. 

Definition 2 (Effectiveness). 

• Correct case. Registration and data initialization should end successfully, i.e., not with 
the output failed, if the parties in the given protocol execution are honest. Similarly, 
fingerprinting should end successfully if the merchant, the buyer, and the buyer’s 
registration center are honest, and the fingerprinted data item should be sufficiently 
similar to the data item input by the merchant. Similarity can be formalized by a given 
relation as in [PS96]. 

• No januning by registration center. Even for a cheating registration center, it is infeasible 
to carry out registration with a buyer such that it ends successfully, but nevertheless an 
execution of fingerprinting between this buyer and an honest merchant will fail later. ♦ 

The second property is one of those that define minimal trust in the registration center. Of 
course, it cannot be avoided that a cheating registration center refuses or messes up 
registration altogether. However, if the buyer notices this by the output failed, it is no 
problem: She can register at another center. It would only be a problem if fingerprinting 
failed later and the buyer and the merchant would not know whether to blame each other or 
the center. The name “jamming” was taken from the consideration of similar frauds by 
arbiters in arbitrated authentication schemes in [DY91]. 

Definition 3 (Integrity). 

• Security for the merchant. For any algorithm B of the cheating buyers that buys at most 
colljsize copies of a certain data item (i.e., engages in at most coll_size executions of 
fingerprinting for it) and then produces another copy sufficiently similar to the original 
for the merchant to feel cheated, the merchant will successfully identify a buyer, i.e., 
obtain a valid digital identity as an output in identification, together with a text used and a 
string proof, and then win a trial with any honest arbiter. Similarity is defined by a 
second given relation as in [PS96], and B may carry out any other transactions, such as 
additional registrations and buying other data items, in between as part of its active 
attack. 

This should hold even if the registration centers are cheating, i.e., B also comprises 
them. In this case, the protocol for enforced identification may be needed if normal 




93 



identification failed, and the output for the arbiter in either this protocol or the trial may 
be center_guilty, instead of guilty in the trial.' 

• Protecting the merchant from making wrong accusations. As the merchant will usually 
damage his reputation if he accuses a buyer and then loses the trial, we require that this 
does not happen to honest merchants. Thus, even if there are more than coll_size 
traitors, it should be infeasible for the other participants to make up a data item such that 
identification succeeds, and then a trial with an honest arbiter leads to the output 
not_guilty. 

• Security for the buyer. Honest buyers are not found guilty in trials. More precisely, if a 
buyer only takes part in the prescribed protocols and keeps their results secret (in 
particular, the data item bought), then, no matter what the other parties do, an honest 
arbiter will not obtain the output guilty in a trial where he entered the identity of this 
buyer. Even if the other parties can adaptively obtain some data items this buyer bought, 
selected by the texts used in the corresponding execution of fingerprinting, the buyer 
will not be found guilty for any other texts. 

• Security for registration centers. In schemes with strong security for the merchant, i.e., 

where an arbiter may decide center _guilty, honest registration centers require that honest 
arbiters never decide this about them. ♦ 

In a weaker version of security for the merchant, the requirement would only hold if at least 
the registration centers the dishonest buyers registered with are honest. A similar weak 
version of the security for the buyer is not desirable because being wrongly found guilty as 
a traitor is a fate much worse than losing some revenue. 

Finally, we come to the privacy requirements. We only make them explicitly for buyers, 
corresponding to the usual model of payer anonymity in digital payment systems. However, 
the identity of the merchant is not needed anyway, neither above nor in other types of 
fingerprinting. 

Dennition 4 (Anonymity). Nothing about the purchase behaviour of honest buyers 
becomes known to any other party, except, if the registration center cooperates, for facts 
that can simply be derived from the knowledge of who registered and for what number of 
purchases, Ng, and at what time protocols are executed. This should even hold for the 
remaining purchases if the other parties can adaptively obtain some data items this buyer 
bought. ♦ 

The exception cannot be avoided. For instance, if the first person who registers buys 
something before anybody else registers, the merchant and the registration center together 
naturally know who it was. Furthermore, the definition assumes, like that of anonymous 
payment systems, that the underlying communication does not identify the buyers. The 
definition is otherwise very strict. For instance, it implies that the merchant cannot learn 
whether a particular buyer bought a particular data item by accusing her unjustly of 
redistribution. 



' A stronger requirement that it is always a buyer who is identified would not make much sense: If a 
registration center colludes with some traitors, it can be regarded as one of them; actually, identifying a 
cheating registration center is more important than identifying a normal buyer and the merchant is more 
likely to get compensation. 




94 



We could also define weaker versions of anonymity, in particular k-out-of-/J traceability 
and linkability. Similar models have been considered with payment systems, often without 
distinguishing them. Some types of fingerprinting with weak anonymity can be imple- 
mented quite easily and without any real additional cryptology, but we omit these construc- 
tions in favor of stronger ones, 

3 Construction Framework for Full Anonymity 

During fingerprinting, the buyer has to input identifying information that will be embedded 
into the data item; we call it emb. The merchant must be convinced that this information is 
correct, but without learning more about it. Hence a construction has to address two major 
issues; 

• Relating the identifying information emb to the public key of the registration center, so 
that the merchant has a starting point for the verification that does not identify the buyer 
and does not make purchases linkable, together with a minimum-knowledge verification 
procedure. 

• A mechanism for the merchant to extract emb from a redistributed data item. This is not 
trivial because in most non-anonymous schemes, information is not simply “extracted” 
from the data item found, but derived in combination with other information or in 
interaction with an accused buyer, each of which is more complicated here. 

In this section, we show a construction framework that includes a solution to the first issue, 
but assumes a subprotocol that solves the second issue. 

Construction 1 (Framework for anonymous fingerprinting). We only show 
those protocols where anything interesting happens at this level of abstraction. 

• In registration, the buyer selects a pseudonym, i.e., a key pair {skg, pkg) of a signature 
scheme, and signs under her normal identity that she will be responsible for this 
pseudonym. She obtains a certificate certg from the registration center, i.e., a signature 
with skffd: on pk^. Intuitively, this certificate means that the registration center declares 
that it knows the identity of the buyer who chose this pseudonym. 

• In fingerprinting, the anonymous buyer secretly computes a signature on the text 
identifying the purchase, sig sign(skg, text)- The entire value to be embedded is 
emb := {text, sig, pkg, certg). This buyer hides this value in a commitment (see 
[BCC88]), sends the commitment to the merchant, and proves the validity of the hidden 
signature and certificate in zero-knowledge. 

Instead of embedding emb directly, the buyer can encrypt it, send the ciphertext to 
the merchant, and commit to and embed the key, which may be much shorter. The zero- 
knowledge proof now refers to the value obtained by decrypting the given ciphertext 
with the hidden key. 

• In identification, the merchant extracts emb. He sends proof] := {text, sig, pkg), which 
proves that the owner of this pseudonym has redistributed the data item corresponding to 
text, to the registration center and asks for identification. If the registration center 
refuses, the merchant shows proof] to an arbiter, together with certg to prove that the 
registration center knows the corresponding identity. Thus, in enforced identification, 




95 



the registration center either has to identify or will be found guilty. The registration 
center also has to send the buyer’s signature that she is responsible for this pseudonym. 
This signature and proof i constitute proof. The merchant verifies all the values before 
making an accusation. 

In the version with encryption, the merchant tries to decrypt the ciphertexts from all 
the purchase records for this data item. He verifies the resulting cleartexts as above, and 
uses the first that fulfils the criterion. 

• In a trial, the arbiter first verifies the accused buyer’s signature that she is responsible for 
the pseudonym pkg, and then that sig is a valid signature on text corresponding to this 
pseudonym. 

Theorem 1. If all the underlying primitives are secure, the construction framework yields 
a provably secure anonymous fingerprinting protocol. ♦ 

The proof is quite straightforward and omitted here. The security assumptions about the 
underlying scheme for embedding are (a) for the security and anonymity of the buyer, that it 
does not leak information about emb, and (b) for the security of the merchant, that extracting 
will in fact recover the embedded value if there are at most coll_size traitors. The security of 
the zero-knowledge proof scheme must be assumed in the same kind of composition that we 
allow for our protocols. 

4 Instantiation with Known Fingerprinting Schemes 

We now identify existing fingerprinting schemes that offer the combination of embedding 
and extracting needed in Construction 1 . We also describe some details of other finger- 
printing schemes because they help understanding the new construction in Section 5. 

For the cryptologic aspects of fingerprinting, it is typically assumed (starting with 
[BMP86, BS95]) that a marking scheme is given, i.e., a data-type-dependent scheme for 
hiding individual bits in data items. Each mark is a part of the data item for which 2 versions 
exist. In data initialization, the merchant probabilistically selects a tuple of / marks for the 
given data item. Each fingerprinted data item can now be described by a binary codeword of 
length 1: the /-th bit denotes which version of the data is used in the i-lh mark. It is assumed 
that traitors can only notice and delete marks by comparing their copies. More precisely, the 
Marking Assumption [BS95] states that if the codewords of all traitors agree in the i-th bit, 
any redistributed copy they make will correspond to a word with the same i-th bit. 

A consequence of the Marking Assumption is that in any redistributed data item pro- 
duced by at most coll_size traitors, the merchant will find a word that has at least I / coll_size 
bits in common with the codeword of at least one traitor. (If the traitors delete a mark they 
have identified, instead of using one of the 2 versions, the merchant arbitrarily sets the 
corresponding bit in the word to 0 or 1.) The merchant now has to derive some real 
information; this can be seen as a problem of error correction for far more errors than correct 
symbols. We now consider how different fingerprinting schemes deal with this problem, 
and whether they offer the direct extraction we need (+/-): 

+ Symmetric schemes with (almost) no collusion tolerance: If there is no collusion at all, 
the marking assumption implies that the whole codeword of the traitor remains intact. 
Hence it can simply be extracted. Some schemes do not assume traitors to be clever and 




96 



hope that the majority of one word will still be intact, so that a normal error-correcting 
code can be used. 

- Symmetric collusion-tolerant schemes [BMP86, BS95]: Essentially, the merchant looks 
through the list of the codewords he has used and checks which of them has l/coll_size 
symbols in common with the redistributed word. (In fact, a somewhat more complicated 
code and comparison is used to make it provably unlikely that an honest participant’s 
codeword also has so many symbols in common with the redistributed word.) These 
schemes cannot be used for embedding and extracting a significant amount of infor- 
mation because then the merchant would not know the codewords that were used, and a 
list of all possible ones would be exponentially long. 

- Asymmetric schemes with 3-party trials also had to address the problem that the code- 
words used cannot be known to the merchant entirely because parts of them are needed 
to make up proof, the proof of redistribution, when they are found. The basic idea in 
[PW97, BM97] is to make one half of the codeword known to the merchant in finger- 
printing and to keep the other half secret. In identification, the merchant first searches a 
list of the known halves to identify a buyer, whom he accuses. He only has the other 
half, which should contain proof, with a large number of errors, too many for efficient 
decoding. Thus the accused buyer is now asked to show the real proof, and the arbiter 
compares if it has enough symbols in common with what the merchant found. 

However, this three-party idea cannot be used in the anonymous case because the 
merchant does not know whom to accuse before he has found the correct secret, and one 
cannot ask many buyers to divulge theirs. More technically, we see that proofs not 
actually extracted. 

+ Asymmetric collusion-tolerant traitor tracing with 2-party trials [PW97, Section 4] 
(based on ideas from [CFN94]): A code is used where some parts of the codeword must 
be taken from one traitor as a whole. The entire secret that will be the main part of proof 
is used as many such parts, so that it will come through at least once. 

This scheme can be used for embedding and extracting arbitrary values emb'. These 
values are treated Just as the main part of the proof was treated above. In the notation of 
[PW97] for readers familiar with it: emb is used as the second-level codewords instead 
of ridg. All parts of the scheme that do not deal with embedding and extracting, i.e., the 
one-way image of ridg and its signing and verification, are omitted. 

For fingerprinting, there seems to be no idea yet how to glue large parts together so that they 
have to be taken from one traitor as a whole, as in traitor tracing. However, in the follow- 
ing, we will use much smaller parts that will be correct as a whole, and apply error-and- 
erasure-correcting codes. 

5 Collusion-Tolerant Asymmetric Fingerprinting 
with 2-Party Trials 

5.1 Ideas 

Recall the basic idea from [BS95] to achieve a certain level of collusion tolerance among a 
large number of participants; A concatenated code (called nested in [B83]) is used where the 
outer words are of length I over the alphabet {1, ...,g], and the inner code, which is used 




97 



to encode each symbol of an outer codeword, is a fixed binary code Fq of length 
where I, d, and q are three parameters that we adapt to our purposes below. 

The important property of Fq is that it has a decoding procedure that guarantees that, 
except with exponentially small probability, an outer symbol that appeared in the codeword 
of at least one traitor will be extracted in each position. The precise error probability is 2“°^ 
for all / outer symbols together if d is chosen as 2 ^^(log 2 ( 2<70 + cr). 

Thus the symbols of the outer codeword are blocks that have to be taken from one traitor 
as a whole, as desired in the construction idea in Section 4. However, they can only encode 
a very small number of bits because the inner code is essentially unary. Thus we proceed in 
a more complicated way to put several such small pieces together again, i.e., to try and find 
a certain number that come from the same traitor. For this, we will link known and secret 
halfsymbols (in contrast to the unconnected known and secret symbols of the words in 
[PW97, BM97]), so that symbols that disagree on the known halfsymbols can be excluded 
right away. This leaves us with many erasures, but hopefully few errors, and thus we can 
hope for efficient decoding. We will do this with Reed-Solomon codes, but we first present 
the rest of the construction without fixing the code. 

5.2 Construction with Generic Code 

The following construction is only a scheme for embedding and extracting data. It can either 
be used in Construction 1 to obtain an anonymous collusion-tolerant fingerprinting scheme, 
or as a normal collusion-tolerant asymmetric fingerprinting scheme with 2-party trials. For 
the latter, the values emb are selected and treated like the values id^y^ in Construction 1 of 
[PS96]; In fingerprinting, the buyer randomly chooses emb and gives the merchant a one- 
way image im of it, together with a signature. Later, knowing the preimage emb of im 
proves that the merchant found the redistributed data. 

Note that in both these applications. Construction 2 and the surrounding scheme are 
coupled over a secret value, emb, that must be the same in both schemes, i.e., the same 
commitment must be used. 

We denote the binary length of the values to be embedded as a function len{k) of the 
computational security parameter because they are usually cryptologic secrets. The follow- 
ing construction is in terms of four parameters l,d,q\, and ^2> which will be chosen as 
polynomial functions of the given parameters k, a, coU_size, and Here, I and d will be 
used for a concatenated code exactly as explained in Section 5.1, and the parameter q for 
that code will be q\q 2 - We assume that q^ and 93 small powers of 2, say qj = 2'^'. Thus 
each symbol of the outer code can be represented as the concatenation of two short strings 
of length fC] and K 2 - 

We also need an error-and-erasure-correcting code EECC of the same length I over an 
alphabet of size ^2 ^nd of sufficient dimension dim to encode the values to be embedded, 
i.e., K 2 dim > len{k). The precise error-and-erasure-correcting properties needed are 
discussed below. 

Construction 2 (Embedding and extracting). 

• Data initialization. The merchant chooses marks for the data item using the underlying 
marking scheme. Furthermore, for each of the I positions of the outer code, he chooses a 
substitution substj randomly, i.e., a permutation of the alphabet {1, q]. Recall that 

the alphabet is small enough for a random permutation to be represented as a table. 




98 



• Embedding: The merchant’s secret inputs are the data item and the initial data record. 

The commitment that fixes the value embg that will be embedded for the current buyer is 

a common input.^ The buyer’s secret input is embg and the auxiliary data needed to open 

the commitment. 

• The merchant secretly selects )fi random bits for each of the / symbols of the outer 
codeword. We call them halfsymbols and denote the choice as 

halfword_searchg := {halfsym_searchg j, ..., halfsym_searchg ;). 

• Now embg is encoded with the error-and-erasure-correcting code EECC into I 
halfsymbols of K 2 bits each. We call them halfsym_embg^, .... halfsym_embg i. 
The buyer can do this alone if she hides the result in commitments again and proves 
in zero-knowledge that the computation was correct. 

• The halfsymbols from the merchant and the buyer are mixed into symbols by the 
operation 

symg i := substi{halfsym_searchg , II halfsym_embg j), 
where subst^ is the substitution chosen in data initialization for this symbol position. 
We will see below why this encryption is necessary for the security of the merchant. 
This step and the following one require secure 2-party computation because secrets 
from both parties are used. The outer codeword of this buyer is 

wordg ;= (sywg,), ..., syrngj). 

• Each outer symbol symg ^ is encoded using the inner code Eq, and the resulting word 
is used to fingerprint the data item. The result is only output to the buyer. 

• Extracting. 

• For each of the I positions of the outer code, the merchant uses the identification 
procedure of the underlying code Eq to identify a symbol sym^g^j {“red" for 
“redistributed”). He decrypts it using substf^ and separates it into its halves of 
length tCj and K 2 , respectively. We call the resulting outer word word^gj and the 
word consisting of all the first halves halfword_search^g^. 

• The merchant searches among his purchase records for the given data item for one 
where halfword_searchj has at least Ucoll_size (half-)symbols in common with 
halfword_searchgg^. 

• He now tries to extract the value embj from the second halfsymbols of wordgg^. First 
he excludes all those symbols sym^g^^ that definitely do not belong to this traitor 
because their first halfsymbols are different from those in halfword_searchj. The 
remaining second halfsymbols, halfsym_emb^g^ j, constitute a word with many 
erasures. The merchant applies the decoding procedure of EECC to it and hopes that 
the result is embj. 

5.3 Security of the Construction and Requirements on the Code 

We now consider the security of the scheme and find out how many errors the code EECC 

has to tolerate in addition to the erasures. The effectiveness of the scheme, i.e., that 



2 



Using the index B is only a notational help for us to distinguish the values used with different buyers; of 
course it does not mean that the merchant has to know this buyer’s identity. 




99 



embedding yields a reasonable data item for the buyer if nobody cheats, is clear if it holds 
for the underlying marking scheme. Recall from the proof sketch of Construction 1 what 
security requirements we made on a scheme for embedding and extracting: 

• Security of the buyer. The merchant should not gain knowledge about embg during 
embedding. 

• Security of the merchant. As long as there are at most coll_size traitors, extracting will 
recover the value embj used by a traitor with high probability. 

The same requirements make the application in a non-anonymous fingerprinting scheme 
secure. 

Security for the buyer. This is clear because the only output the merchant gets from the 
steps that involve embg are commitments, a zero-knowledge proof, and his view of a secure 
2-party computation without output to him. 

Security for the merchant, overview. First, the properties of the underlying code Fq 
guarantee that all symbols and thus all halfsymbols in halfword_search^gj, will 

belong to one of the traitors, with an error probability of at most 2”^ overall. At least one 
traitor T* must therefore have contributed at least l/coll_size halfsymbols. Thus the 
merchant’s search in the second step of extracting succeeds. 

We show in 1 . below that for suitably chosen parameters, the merchant almost certainly 
really identifies the record of a traitor, i.e., no record of an honest buyer fulfils the search 
criterion. 

However, it is not clear that the traitor T whom the merchant identifies contributed at 
least UcoU_size entire symbols, nor that all the symbols that she did not contribute will lead 
to erasures, because different symbols can agree on their first half But at least we show in 
2. below that in a position i where a symbol from a traitor other than T was used, the first 
halfsymbol is random. Intuitively, this means that the traitors cannot introduce errors instead 
of erasures on purpose. 

Hence there are at most errors on average. We show in 3. below that there are al- 
most always at most 3-2“'‘^i/ errors. Moreover, the merchant’s search criterion immediately 
implies that there are at most I - llcoll_size erasures. Hence it is sufficient to use a code 
EECC that tolerates e = 3-2“'‘^i/ errors and r = l- l/coll_size erasures. 

Details. We now prove the three statements from the overview and state the necessary 
constraints on the parameters. As the worst case, we assume that the traitors know their 
own codewords completely, i.e., they know to which indices the marks they found belong 
and which version of the data in one mark encodes 0 and 1 , respectively. 

1 . We have to show that almost certainly no honest buyer’s halfword_searchg will have 
Ucoll_size symbols in common with halfword_search^g^. This is a standard proof 
of collusion tolerance since [CFN94]: The traitors have no information about the 
randomly chosen halfword_searchg because the merchant is honest in this part of the 
proof Hence, when selecting halfword_search^g^, the probability that they guess a 
particular halfsymbol of a particular buyer correctly is p = Let S be the random 
variable denoting the number of symbols guessed correctly. By the Chernoff bound, 
P(S > 3pl) < i.e., P{S > If we want to bound the overall 

probability for all Nf^ buyers by 2~^, we need > 3coll_size and I > q-^io+logiiN 




100 



2. We have to show that in every position i where the traitors use a symbol sym^g^ i ^ 
syniTj, the equality halfsym_search,.ggj j = halfsym_searchxj will independently hold 
with probability at most As the merchant has chosen both these halfsymbols 
randomly and independently, it suffices to show that the traitors have no information 
what values of halfsym_search are encrypted by any symbol sym^gj. We can consider 
each position i separately because the merchant does not use any common information in 
different positions. 

The only knowledge the traitors have about the encryption function substj is their 
own symbols symj* ^ and the corresponding halfsymbols halfsym_embj*^i. This is at 
most as much information as if they knew the precise range of the restricted substitution 
substji • , halfsym_emb) for each value of halfsym_emb. These substitutions are 
completely independent random permutations (onto renamed domains). If the attackers 
select synirgji^ sym-pi from the range of substi{ • , halfsym_embj-i), then 
halfsym_searchfggi j = halfsym_searchj i is impossible because of the one-to-one 
property. Otherwise, they have no information whether the first halfsymbols agree 
because of the independence of the permutations. 

3 . Finally, we show that there are almost always at most 3-2~’^U errors. We know from 2. 
that in each position, there is an error with respect to the word of a particular traitor T 
with probability at most p = 2"'^i = q^. Hence we can use the Chernoff bound as in 1. 
This leads to the constraint / S q\{a+log 2 (.coll_size)), if we want to bound the proba- 
bility by for all traitors together. This constraint is weaker than that in 1 . 

5.4 Reed-Solomon Codes for Error-and-Erasure Decoding 

We first recall the properties of Reed-Solomon codes. All the results mentioned here can be 
found in [B83]. Reed-Solomon codes are a class of cyclic codes. Any finite field GF(^) can 
serve as the alphabet; the blocklength is then l = q - 1 , That the blocklength for a given 
alphabet is fixed is a certain restriction. For any t < 1/2, there is a Reed-Solomon code of 
minimum distance d = 2t + I and dimension dim = I - 2t, and it can be constructed 
efficiently.^ This is the maximum dimension possible for the given minimum distance for 
any linear code; reaching this bound is the main advantage of Reed-Solomon codes. 

Usually, a code with minimum distance c? = 2t + 1 is used to correct up to t errors. 
However, such a code can also tolerate any combination of e errors and r erasures with 
2e + r + 1 < d. This can easily be seen because the restriction of the code to the positions 
where no erasure occurred still has a minimum distance of at least d-r. Furthermore, all 
BCH codes, of which Reed-Solomon codes are a subclass, can be efficiently decoded for 
2e + r -t- 1 < d*, where d* is their so-called designed distance, which equals d for Reed- 
Solomon codes. 

5.5 Setting the Parameters 

If we use Reed-Solomon codes in Construction 2, the alphabet size q 2 = 2'^ equals the 
blocklength I plus 1. To tolerate the up to e = 3 ■2"'^' I errors and r=l- l/coll_size erasures. 



•1 

For concreteness: If a is a primitive element of GFf^), the generator polynomial of this code is g(x) = 
(x-a)(x-oc^)...(x-cP''), i.e., the code consists of the multiples of g(jr) by polynomials of degree less 
than l-2i. 




101 



we need a minimum distance tf = 2r+lS2e + r+ 1, which means 2f t + I - 

Ucoll_size. To encode the secrets to be embedded, we need dim = I -2t> len(k)/K 2 = 
/cn(A:)/log2(/+l). Both inequalities for t can be fulfilled iff I and K'l are chosen such that 
(neglecting rounding errors) 

-6-2“'^U + UcoU_size > /en(ft)/log2(/). 

Certainly, the left side must be positive; let us require 2’^i > 2Acoll_size. Then I remains to 
be chosen such that / log2(/) 5 A/3len(k)coll_size. Let /* := len{k)coll_size. One can easily 
verify that / > 2Z*/log2(/*) is a sufficient condition. 

6 Conclusion 

We have introduced the concept of anonymous fingerprinting, a cryptologic copyright 
mechanism where honest buyers need not identify themselves to merchants, but merchants 
can nevertheless find out the identity of traitors who redistribute data without permission. 
We (informally) presented a precise definition of the concept, mentioned some variants, and 
presented a provably secure framework construction. It can be instantiated with some 
known schemes for fingerprinting without much collusion tolerance and for collusion- 
tolerant traitor tracing. To obtain collusion-tolerant fingerprinting, too, we constructed the 
first collusion-tolerant asymmetric fingerprinting scheme with 2-party trials. Such trials have 
practical advantages. However, the complexity in the current instantiation with Reed- 
Solomon codes is somewhat higher than that of known schemes with 3-party trials. A code 
where the same amount of data could be encoded with a smaller alphabet and a longer 
blocklength would reduce this problem; however, we are not aware of one where the 
minimum distance can be very near the blocklength and an efficient procedure for error-and- 
erasure-decoding is known. Actually, we regard our constructions rather as constructive 
proofs of existence. However, the 2-party protocol used for actually fingerprinting the data 
can be replaced by an efficient scheme from [PS96J, and so can the preceding step where 
the outer codeword is expanded using fo. Thus no general primitives are needed on the 
overwhelming part of the data. We are confident that one could also improve upon the 
remaining ones, but shortening the codes seems more important. 

Acknowledgments 

We thank Matthias Schunter for interesting discussions and Rudi Piotraschke for helpful 
advice with coding theory. 

References 

[B83] Richard E. Blahut: Theory and Practice of Error Control Codes', Addison- 
Wesley, Reading 1983. 

[B94] Stefan Brands: Untraceable Off-line Cash in Wallet with Observers', Crypto 
’93, LNCS 773, Springer- Verlag, Berlin 1994, 302-318. 

[BCC88] Gilles Brassard, David Chaum, Claude Crepeau: Minimum Disclosure Proofs 
of Knowledge', Journal of Computer and System Sciences 37 (1988) 156-189. 




102 



[BM97] 

[BMP86] 

[BP90] 

[BRD95] 

[BS95] 

[C81] 

[C85] 

[CFN94] 

[CKLS96] 

[DY91] 

[P96] 

[PS96] 

[PW97] 

[W83] 

[ZK95] 



Ingrid Biehl, Bernd Meyer: Protocols for Collusion-Secure Asymmetric 
Fingerprinting’, accepted for 14th Symposium on Theoretical Aspects of 
Computer Science (STAGS) 1997. 

G. R. Blakley, C. Meadows, G. B. Purdy; Fingerprinting Long Forgiving 
Messages’, Crypto ’85, LNCS 218, Springer-Verlag, Berlin 1986, 180-189. 
Holger Biirk, Andreas Pfitzmann: Value Exchange Systems Enabling Security 
and Unobservability’, Computers & Security 9/8 (1990) 715-721. 

F. M. Boland, J. J. K. O Ruanaidh, C. Dautzenberg: Watermarking Digital 
Images for Copyright Protection ’, 5th lEE International Conference on Image 
Processing and its Applications, Edinburgh 1995, 326-330. 

Dan Boneh, James Shaw: Collusion-Secure Fingerprinting for Digital Data; 
Crypto ’95, LNCS 963, Springer-Verlag, Berlin 1995, 452-465. 

David Chaum: Untraceable Electronic Mail, Return Addresses, and Digital 
Pseudonyms’, Communications of the ACM 24/2 (1981) 84-88. 

David Chaum: Security without Identification: Transaction Systems to make 
Big Brother Obsolete’, Communications of the ACM 28/10 (1985) 1030-1044. 
Benny Chor, Amos Fiat, Moni Naor: Tracing Traitors’, Crypto ’94, LNCS 
839, Springer-Verlag, Berlin 1994, 257-270. 

Ingemar Cox, Joe Kilian, Tom Leighton, Talal Shamoon: A Secure, Robust 
Watermark for Multimedia’, Information Hiding, LNCS 1174, Springer- 
Verlag, Berlin 1996, 185-206. 

Yvo Desmedt, Moti Yung: Arbitrated Unconditionally Secure Authentication 
can be Unconditionally Protected Against Arbiter’ s Attacks; Crypto ’90, LNCS 
537, Springer-Verlag, Berlin 1991, 177-188. 

Birgit Pfitzmann: Trials of Traced Traitors; Information Hiding, LNCS 1 174, 
Springer-Verlag, Berlin 1996, 49-64. 

Birgit Pfitzmann, Matthias Schunter: Asymmetric Fingerprinting; Eurocrypt 
’96. LNCS 1070, Springer-Verlag, Berlin 1996, 84-95. 

Birgit Pfitzmann, Michael Waidner: Asymmetric Fingerprinting for Larger 
Collusions; accepted for 4th ACM Conference on Computer and Communi- 
cations Security, 1997. 

Neal R. Wagner: Fingerprinting; 1983 Symposium on Security and Privacy, 
IEEE, Oakland, California, 1 8-22. 

Jian Zhao, Eckhard Koch: Embedding Robust Labels Into Images For 
Copyright Protection; International Congress on Intellectual Property Rights 
for Specialized Information, Knowledge and New Technologies, Oldenbourg- 
Verlag, Vienna 1995. 




A Secure and Optimally Efficient 
Multi- Authority Election Scheme 



Ronald Cramer* Rosario Gennaro** Berry Schoenmakers*** 



Abstract. In this paper we present a new multi-authority secret-ballot 
election scheme that guarantees privacy, universal verifiability, and ro- 
bustness. It is the first scheme for which the performance is optimal 
in the sense that time and communication complexity is minimal both 
for the individual voters and the authorities. An interesting property 
of the scheme is that the time and communication complexity for the 
voter is independent of the number of authorities. A voter simply posts 
a single encrypted message accompanied by a compact proof that it con- 
tains a valid vote. Our result is complementary to the result by Cramer, 
Franklin, Schoenmakers, and Yung in the sense that in their scheme 
the work for voters is linear in the number of authorities but can be 
instantiated to yield information-theoretic privacy, while in our scheme 
the voter’s effort is independent of the number of authorities but always 
provides computational privacy-protection. We will also point out that 
the majority of proposed voting schemes provide computational privacy 
only (often without even considering the lack of information-theoretic 
privacy), and that our new scheme is by far superior to those schemes. 



1 Introduction 

In the cryptographic literature, electronic voting protocols are known as the 
prime examples of secure multi-party computations. Many papers have been 
written on the subject and by now an extensive list of properties and require- 
ments is generally accepted as desirable. We will consider these properties in 
this paper, among which are privacy, universal verifiability, and various forms of 
robustness. Recent advancements have also been particularly concerned with the 
performance aspect. In this paper we will show under which circumstances it is 
possible to achieve a scheme with optimal performance for large-scale elections, 
while at the same time keeping the system simple and provably secure. 

In considering the performance of elections it is clear that the main consid- 
eration should be the effort required of a voter. Indeed, while governments can 
(and do nowadays) afford a large organizational effort to hold elections, it is 
mandatory to make the voting protocol cis simple and efficient as possible for 
the voter — who might be participating from home using a PC or a Web TV. 

* Inst, for Theoretical Comp. Sc., ETII-Z, CH-8092 Zurich, Switzerland. 
creuner9inf . ethz . ch 

** IBM T.J. Watson Research Center, P.O. Box 704, Yorktown Heights, NY 10598, 
USA. rosarioawatson.ibm.com 

*** DigiCash, Kruislaan 419, NL-1098 VA Amsterdam, The Netherlands. 

berrySdigicash . com 



W. Fumy (Ed.): Advances in Cryptology - EUROCRYPT ’97, LNCS 1233, pp. 103-118, 1997. 
© Springer- Verlag Berlin Heidelberg 1997 




104 



In this paper we present a simple multi-authority election scheme in which 
the task of the voter is reduced to the bare minimum. Basically, the voter posts 
a single encrypted message (ballot) accompanied with a proof that it contains 
a valid vote. For security parameter fc, the size of the ballot as well as of its 
proof of validity is 0{k) bits. Moreover, due to the homomorphic properties of 
the encryption method used, the final tally is verifiable to any observer of the 
election, while due to the use of a matching fault-tolerant threshold decryption 
technique, the individual votes will remain private and the (benign or malign) 
failure of authorities can be tolerated. 

We work in the model set forth by Benaloh et al. [CF85, BY86, Ben87], where 
the active parties are divided into I voters Vi,. . . ,Vi and n tallying authorities 
(talliers) , . . . , . To achieve universal verifiability all parties have access 

to a so-called bulletin board. A bulletin board is like a broadcast channel with 
memory to the extent that any party (including passive observers) can see the 
contents of it, and furthermore that each active participant can post messages by 
appending the message to her own designated area. No party can erase anything 
from the bulletin board. 

In this model, voters cast their votes by posting ballots to the bulletin board. 
The ballot does not reveal any information on the vote itself but it is ensured by 
an accompanying proof that the ballot indeed contains a valid vote and nothing 
else. Due to a homomorphic property of the ballots, the final tally (“sum” of all 
votes) can be obtained and verified (by any observer) against the “product” of 
all submitted ballots. This ensures universal verifiability. 

Although we are emphasizing the application of our scheme to large-scale 
elections, it is also suitable for small-scale elections such as boardroom elections. 
In the latter case it is even conceivable that each voter plays the role of tallying 
authority as well; a PC network will suffice as computing platform. 



1.1 Computational versus information-theoretic privacy 

By far, the majority of election protocols that support some level of verifiability 
(either universal or limited to voters, who can check their own vote) merely pro- 
vide computational protection of the voter’s privacy. For example, the schemes 
presented by Benaloh et al. [CF85, BY86, Ben87, BT94] all rely on the so-called 
r-th residuosity assumption. Once this assumption is broken (e.g., when the 
public modulus is factorized), the content of each individual ballot can be de- 
crypted. Similarly, schemes using anonymous channels or mixes [ChaSl] usually 
rely on computational assumptions. By recovering the private keys of the mixes, 
an adversary is able to “open” all ballots posted to the first mix. For example, 
the scheme of [SK95] relies on the difficulty of computing discrete logs, both for 
the secrecy of the mixes’ private keys and for the contents of the ballots. 

The extent to which the lack of information-theoretic privacy is harmful may 
be difficult to estimate. For instance, it is hard to predict what happens if fifty- 
year old votes of a U.S. president are published — although breaking the encryp- 
tion methods for the currently widely used security parameters will probably be 
much more harmful. 

Whither democracy, from a cryptographic standpoint it is necessary to deter- 
mine the limits for computational and information-theoretic privacy. As an aside 




105 



we note that the mere use of multiple authorities can be considered a condition 
as well. Indeed, election protocols have been proposed that try to eliminate this 
condition, e.g., see [PW92], but the methods used still require conditions re- 
garding the channels connecting the participants. Since in our case the bulletin 
board is implemented from multiple servers anyway, and it is seen as a necessary 
primitive for achieving universal verifiability, we will not consider eliminating 
the use of a distributed tallying authority. Yet, to some extent we will take into 
account that authorities may be compromised over time, see below. 



1.2 Our contributions 

In this paper we will see how far one can go if computational privacy is the goal. 
For computational privacy it suffices to assume a public broadcast channel (bul- 
letin board) as communication model. To make an election scheme information- 
theoretically secure, it is generally believed that private channels between voters 
and authorities are required. In Section 6.1 we will look into this aspect. 

The main result of this paper is a fair election scheme in which the complexity 
of the voter’s protocol is linear in the security parameter k — hence optimal. This 
comprises the computational as well as the communication complexity (in bits) . 
The voter needs to communicate only 0{k) bits and to perform 0{k) modular 
multiplications.^ Moreover, the dominating factor for the work of an authority 
is 0{lk). Compared to the scheme of [CFSY96], we thus achieve a reduction of 
the work for each participant by a factor of n. 

In the new scheme, the voter just sends a particular ElGamal encryption of 
the vote plus a proof that it indeed contains a valid vote. The proof prevents 
the voters from casting bogus ballots, and should be such that no information 
whatsoever leaks about the actual vote contained in a ballot. The crux is to keep 
this proof 0{k), and here we follow the approach of [CFSY96]. We will need a 
novel application of the technique of [CDS94] for constructing efficient witness 
hiding protocols. The resulting proof of validity is a little bit more complicated 
than in [CFSY96], but still requires only a few modular exponentiations. A proof 
of knowledge similar to our proof of validity has been used by Chen and Pedersen 
to construct efficient group signatures [CP95]. 

Unlike previous schemes based on Benaloh’s approach, however, we will 
achieve robustness w.r.t. faulty authorities without increasing the work for the 
voter. To this end, we will employ fault-tolerant threshold cryptosystems instead 
of (verifiable) secret sharing schemes. In our case there will be only one public 
key for which the matching private key is shared among the authorities using 
threshold cryptography techniques (see [Des94] for a survey.) The voter posts 
the ballot encrypted with the public key of the authorities. The private key is 
never reconstructed, and only used implicitly when the authorities cooperate to 
decrypt the final tally. The correctness of the decryption will be assured, even 
in the presence of malicious authorities. 

Apart from achieving a strong set of properties, three major achievements 
of our scheme are: (i) The work required of the voter is minimal. Compared to 
[CFSY96] the work is reduced by a multiplicative factor of n. Although n is 

^ Throughout, wc will take a modular multiplication of two 0{k) sized numbers as our 
unit of work. 




106 



usually much smaller than k, this is still a substantial gain in practice. The work 
for the authorities and observers is reduced accordingly, (ii) The protocol for the 
voter remains the same even if n is variable. Usually n grows with the desired 
security of the scheme (the more authorities the less potential that an adversary 
can corrupt, say, half of them). Using our protocol this growth is “transparent” 
to the user, (iii) As a bonus, the new scheme can easily be extended using 
techniques for proactive threshold cryptosystems [HJJ+97] to leave the system 
(and its keys) in place for a really long time without fearing that the secret key 
gets compromised (see Section 6.3). 

The security of the main scheme presented in the paper is related to the 
difficulty of the discrct log problem. In Section 5 we describe an alternative 
construction related to the hardness of factoring. Finally, in Section 4 we show 
how our approach can be extended to more general classes of elections, and 
in Section 6.2 we consider the issue of receipt-free or incoercible elections and 
discuss the relevance of our paper in this area. 



2 The building blocks 

2.1 Bulletin board 

The communication model required for our election scheme is best viewed as 
a public broadcast channel with memory, which is called a bulletin board. All 
communication through the bulletin board is public and can be read by any 
party (including passive observers). No party can erase any information from 
the bulletin board, but each active participant can append messages to its own 
designated section. 

To make the latter requirement publicly verifiable, we assume that digital 
signatures are used to control access to the various sections of the bulletin board. 
Here we may take advantage of any public-key infrastructure that is already in 
place. Also note that by postulating that each participant can indeed append 
messages to its section, it is implicitly assumed that denial-of-service attacks 
are excluded. This property is realized by designing the bulletin board as a set 
of replicated servers implementing Byzantine agreement, for instance, such that 
access is never denied as long as at most a third of the servers is compromised. 
Reiter’s work on the Rampart system shows that this can be done in a secure 
and practical way (see, e.g., [Rei94, Rei95]). 



2.2 ElGamal cryptosystem 

Our election scheme relies on the ElGamal cryptosystem [DH76, E1G85]. It is 
well-known that the ElGamal cryptosystem works for any family of groups for 
which the discrete logarithm is considered intractable. Part of the security of 
the scheme actually relies on the Diffie-Hellman assumption, which implies the 
hardness of computing discrete logarithms [DH76]. Although all our construc- 
tions can easily be shown to work in this general discrete log setting, we will 
present our results for subgroups G,, of order q of 2*, where p and q are large 
primes such that 1 p — 1- Other practical families can be obtained for elliptic 
curves over finite fields. 




107 



We will now briefly describe the ElGamal cryptosystem, where the primes p 
and q and at least one generator g of Gg are treated as system parameters. These 
parameters as well as other independent generators introduced in the sequel 
should be generated jointly by (a designated subset) of the participants. This 
can be done by letting the participants each run a copy of the same probabilistic 
algorithm, where the coinflips are generated mutually at random. 

The key pair of a receiver in the ElGamal cryptosystem consists of a private 
key s (randomly chosen by the receiver) and the corresponding public key /i = <?* , 
which is announced to the participants in the system. 

Given a message rn £ Gq, encryption proceeds as follows. The sender chooses 
a random a G and sends the pair (x,y) — (p“, h“m) as ciphertext to the re- 
ceiving party. To decrypt the ciphertext (x, y) the receiver recovers the plaintext 
as m = y/a;®, using the private key s. 

2.3 Robust threshold ElGamal cryptosystem 

The object of a threshold scheme for public-key encryption is to share a private 
key among a set of receivers such that messages can only be decrypted when a 
substantial set of receivers cooperate. See [Des94] for a survey. The main proto- 
cols of a threshold system are (i) a key generation protocol to generate the private 
key jointly by the receivers, and (ii) a decryption protocol to jointly decrypt a 
ciphertext without explicitly reconstructing the private key. For the ElGamal 
system described above, solutions for both protocols have been described by 
Pedersen [Ped91, Ped92], also taking robustness into account. 

Key generation As part of the set-up procedure of the election scheme, the 
authorities will execute a key generation protocol due to Pedersen [Ped91]. The 
result of the key generation protocol is that each authority Aj will possess a 
share sj G Z, of a secret s. The authorities are committed to these shares as 
the values hj = y®-" are made public. Furthermore, the shares sj are such that 
the secret s can be reconstructed from any set A of t shares using appropriate 
Lagrange coefficients, say: 

S — ^ ^ SjXj^Ai ~ ^ • (^) 

This is exactly as in Shamir’s (t, n)-threshold secret sharing scheme [Sha79]. 
The public key /i = y® is announced to all participants in the system. Note 
that no single participant learns the secret s, and that the value of s is only 
computationally protected.® 

Decryption To decrypt a ciphertext (x,y) = (y“, h°‘m) without reconstructing 
the secret s, the authorities execute the following protocol: 

1. Each authority Aj broadcasts Wj = and proves in zero-knowledge that 

logg hj = log^ Wj. 

® The private channels assumed in Pedersen’s key generation protocol may be imple- 
mented using public key encryption and the bulletin board. This suffices for compu- 
tational security. 




108 



Prover 




Verifier 


[(x, 2 /) = (s“,/i“)] 
w Gji Z, 

(a,6)<-(s"’,h-) _ 


a, b 


-X 


/ - ■ 


c 


_ c £r Z, 


X 

r w -\- ac 


r 


? 

g’’ = ax’= 



^ y — 

= by^ 



Fig. 1. Proof of knowledge for log^ x — log^ y. 



2, Let A denote any subset of t authorities who passed the zero-knowledge 
proof. By raising x to both sides of equation (1), it follows that the plaintext 
can be recovered as 

m = y/'[[ Wj"'' ■ 

j€A 

Note that step 2 assures that the decryption is correct and successful even if 
up to n — t authorities are malicious or fail to execute the protocol. The zero- 
knowledge proof of step 1 will be described in the next section. 



2.4 Proofs of knowledge for equality of discrete logs 

Using the same notation as above, we present proofs of knowledge for the relation 
logg X = log/, y, whereby a prover shows possession of an a € Z, satisfying 
X = and y — h°‘. kn efficient protocol for this problem is due to Chaum and 
Pedersen [CP93], see Figure 1. This protocol is not known to be zero- knowledge 
or witness hiding. The following result however suffices for our application (see 
also [CDS94] for definitions of the notions involved). 

Lemma 1. The Chaum-Pedersen protocol is a three-move, public coin proof of 
knowledge for the relation log^ x — log/, y. The proof satisfies special soundness, 
and is special honest-verifier zero-knowledge. 

Proof. The protocol inherits its properties from the underlying Schnorr protocol 
[Sch91]. Special soundness holds because from two accepting conversations with 
the same first move (a, b, c, r) and (a, 6, c', r'), c ^ c', a witness w = ^5^ can be 
extracted satisfying x = g® and y = li^ . Honest- verifier zero-knowledge holds 
because, for random c and r we have that {g^x~‘^,h^y~'^,c,r) is an accepting 
conversation with the right distribution. Since the challenge c can be chosen 
freely, we also have special honest-verifier zero-knowledge. 

Notice that the above protocol is zero-knowledge only against the honest 
verifier, but this suffices for our purpose (see, e.g., [Cha91] for an efficient zero- 
knowledge protocol). Indeed, jumping ahead a little, in order to make our pro- 
tocols non-interactive, the verifier will be implemented using either a trusted 




109 



source of random bits (a beacon as in [Rab83, Ben87]) or using the Fiat-Shamir 
heuristic [FS87] which requires a hash function. In the latter case security is 
obtained for the random oracle model. 



2.5 Homomorphic encryption 

Homomorphic encryption schemes form an important tool for achieving univer- 
sally verifiable election schemes. A general definition of the notion is as follows. 
Let £ denote a probabilistic encryption scheme. Let M be the message space 
and C the ciphertext space such that M is a group under operation 0 and C is 
a group under operation ig). We say that 5 is a (0,®)-homomorphic encryption 
scheme if for any instance E of the encryption scheme, given Ci = Er^ {rri \ ) and 
C 2 = Er 2 {m, 2 ), there exists an r such that 



Cl ® C2 = Er{mi © m 2 ). 



Homomorphic encryption schemes are important to the construction of election 
protocols. If one has a (+, 0) scheme, then if Ci are the encryptions of the single 
votes, by decrypting c = Ci ® ® c„i one obtains the tally of the election, 

without decrypting single votes. 

The ElGamal cryptosystem as presented above already satisfies this defi- 
nition, where the message space is G, with multiplication modulo p as group 
operation, and the ciphertext space is x Gq with componentwise multiplica- 
tion modulo p as group operation. Namely, given an ElGamal encryption {xi , yi) 
of mi and an ElGamal encryption (x 2 ,y 2 ) of m 2 , we see that (xi 212, 3/13/2) is an 
ElGamal encryption of mi m 2 . 

For the reasons sketched above however, we need to take this one step further 
to a homomorphic scheme with addition as group operation for the message 
space. That is, instead of Gq, our message space will be Z, with addition modulo 
q as group operation. Given a fixed generator G E Gq, the encryption of a 
message m E "Kq will be the ElGamal encryption of G™. The observation is 
now that, given two such encryptions of mi and m 2 , respectively, the product is 
an encryption of mi -t- m 2 modulo q. Notice that for such a scheme decryption 
involves the computation of a discrete log, which is a hard task in general. 
Nevertheless it can be done efficiently for “small” messages, as will be the case 
in our election scheme (see Section 3). 

2.6 Efficient proofs of validity 

In our election each voter will post an ElGamal encryption of either mo or 
mi, where mo and mi denote distinct elements of Gq. (Later we will consider 
suitable values for mo and mi.) The encryption should be accompanied by a 
proof of validity that proves that the encryption indeed contains one of these 
values. Furthermore, the proof should not reveal any information about which 
one. 

Consider an ElGamal encryption of the following form: 



(x,y) = {g °‘ with m € {mo, mi}. 




110 



Voter Verifier 



== 1 


— 1 


a, w,n,di 6 r Zg 


a,w,r2,d,2 £r Z, 


x<- 9 °‘ 


X 


yi-h^G 


y <- h^jG 


a\ <— 


oi <- g'" 




bii-h'" 


02 


02 e- 




6a a:, y,oi, 61,02,62 


d'2 i — C — di 


d\<r~c- d .2 , c ea Z„ 


T 2 <— w — ad'i 


T\<r~w — adi di,d2,ri,r2 ^ c == d\ + d2 



bi = fi’-' 
a2 = 5’'=a;'^= 
h2=h^^{ylGf^ 



Fig. 2. Encryption and Proof of Validity of Ballot {x,y) 



where the prover knows the value of m. To show that the pair {x,y) is indeed 
of this form without revealing the value of m boils down to a witness indistin- 
guishable proof of knowledge of the relation given by: 

logj X = log,, (y /mo) V log,^ x = log,, (y /mi). 

The prover either knows a witness for the left part or a witness for the right part 
(but not both at the same time), depending on the choice for m. 

By the techniques of [CDS94] , we can now immediately obtain a very efficient 
witness indistinguishable proof of knowledge for the above relation. To prove ei- 
ther of the two equalities we have the efficient proof of knowledge by Chaum and 
Pedersen, described above, for which we have prepared Lemma 1. On account 
of this lemma, we have that the protocol exactly satisfies the conditions for the 
construction of [CDS94]. See Figure 2 for a preview of the protocol, as it is used 
in the election scheme of the next section. 



3 Multi-authority election scheme 

Given the primitives of the previous section we now assemble a simple and effi- 
cient election scheme. The participants in the election protocol are n authorities 
Ai, An and I voters Fi , . . . , V, . Recall that the requirements for a ballot are 
that it must contain a vote in an unambiguous way such that (i) votes accu- 
mulate when ballots are aggregated, and (ii) the proof of validity shows that a 




111 



ballot contains either a yes- vote or a no-vote, without revealing any information 
on which of the two is the case. 

To show that the same masking technique as in [SK94, CFSY96] can be 
used, we instantiate the scheme of Section 2.6 with m\ = G and mo = 1/G, 
where G is a fixed generator of G,. Thus a ballot is prepared as an ElGamal 
encryption of the form (x,i/) = for random b {1,-1}, and the 

corresponding proof of knowledge is depicted in Figure 2. To cast a ballot the 
voter posts an additional number e € {1,-1} such that v = be is equal to the 
desired vote. Alternatively, voters may adapt the precomputed values before 
sending the ballot out, i.e., precompute {x,y) and then post 

In order to make vote casting non-interactive we compute the challenge c as 
a hash value of the first message of the proof. In this case security is retained in 
the random oracle model, but some care is required to prevent vote duplication. 
Each challenge must be made voter-specific (see [Geii95]), i.e., the challenge c is 
computed by voter Vi as H{IDi,x,y,ai,bi,a 2 ,b 2 ), where IDi is a unique public 
string identifying Ti. 

As part of the initialization the designated parties generate the system pa- 
rameters p,q,g,G, as described in Section 2.2, where we may safely assume that 
I < q/2 for any reasonable security parameter k. Secondly, the authorities ex- 
ecute the robust key generation protocol as described in Section 2.3. The tran- 
scripts of these protocol should appear on the bulletin board. Note that this also 
shows to any observer that indeed n authorities are taken part in the scheme, 
which is otherwise not visible to the voters. 

The main steps of the voting protocol now are, where we assume w.l.o.g. that 
only correct ballots are cast: 

1. Voter Vj posts a ballot {xi,yi) to the bulletin board accompanied by a non- 
interactive proof of validity. 

2. When the deadline is reached, the proofs of validity are checked by the 

authorities and the product {X,Y) = (rii=i formed. 

3. Finally, the authorities jointly execute the decryption protocol of Section 2.3 
for (X, F) to obtain the value of W — YjX^. A non-interactive proof of 
knowledge is used in Step 1 of the decryption protocol. 

We thus get W = G^ as a result, where T is equal to the difference between 
the number of yes- votes and no- votes, —1<T <1. Hence, T = log^ IF which 
is in general hard to compute. However, in our case we can now fully exploit 
the fact that the number of voters I is relatively small — certainly polynomial 
in the security parameter! The value of T can be determined easily using 0{l) 
modular multiplications only, by iteratively generating G“*,G~*"'“^,G“*'*"^, . . . 
(each time using one multiplication) until W is found. Asymptotically, the work 
does therefore not increase for the authorities (at most two multiplications per 
voter). Note also that the computation of log^^ IF may be done by any party 
because the result is verifiable.® 

The time and communication complexity of the scheme is as follows. The 
work for a voter is clearly linear in k, independent of the number of authorities. 

® If this 0(1) search method is considered too .slow for a large-scale election, Shanks’ 
baby-step giant-step algorithm (see, e.g., [LL90, Section 3.1]) can be applied to find 
T in 0{\Tl) time using 0{\/lk) bits of storage. 




112 



The work for the authorities is only 0{lk+nk) (assuming that the zero-knowledge 
proof used in step 3 is 0(fc), hence negligible). Since we may safely assume that 
the number of voters is larger than the number of authorities, the work for the 
authorities is actually 0{lk). Similarly, the work for an observer who wants to 
check the outcome of the election is 0{lk). 

Theorem 2. Under the Diffie-Hellman assumption, our election scheme pro- 
vides universal verifiability, computational privacy, robustness, and prevents vote 
duplication. 

Actually, parts of this theorem also hold under the discrete log assumption, but 
for conciseness we are only referring to the Diffie-Hellman assumption (which 
is required to show that the ElGamal encryptions used do not leak information 
about the votes). For the non-interactive version of the scheme based on the 
Fiat-Shamir heuristic, the result holds in the random oracle model. 

4 Extension to multi-way elections 

Instead of offering a choice between two options, it is often required that a choice 
between several options can be made. There are numerous approaches to tackle 
this problem. Below, we sketch an approach fow which the size of the ballots does 
not increase (but the size of the proof of validity does)), which again relies on the 
construction of [CDS94]. To get an election for a 1-out-of- iiT choice, we simply 
take K (independently generated) generators Gi, I < i < K, and accumulate 
the votes for each option separately. The proof of validity of a ballot {x, y) now 
boils down to a proof of knowledge of 

log^x = \ogf,{y/Gi) V ■ V loggX = log,,{y/GK). 

Since the voter can only generate this proof for at most one generator Gi, it is 
automatically guaranteed that the voter cannot vote for more than one option 
at a time. 

The problem of computing the final tally is in general more complicated. 
After decryption by the authorities, a number W is obtained that represents the 
final tally, W = Gj * ■ ■ • G^ , where the T^’s form the result of the election. Note 
that the Tj’s are uniquely determined by W in the sense that computation of a 

different set T/’s satisfying W — G^^ ■ ■ -Gjf would contradict the discrete log 
assumption, using the fact that the generators Gi are independently generated. 
Since Tj > 0 and T{ = I, computation of the Ti’s is feasible for reasonable 
values of I and K.^ 

’’ Note that the condition 'Y^=\ ~ exploited by reducing the problem to a 

search for Ti, . . . , Tk - i satisfying 

WIG^k -= {GnjGKf^ ■■■{GK-i!GKf^-\ 

where Ti > 0 and < 1. The naive 0(l^~^) method (which checks all 

possible combinations) can now be improved considerably by a generalization of the 
baby-step giant-step algorithm of time 0(V7 ). 




113 



Prover Verifier 

\x = a’] 

w €r 

a-i-w” “ ^ 

^__!i^_c€R z, 

7 

r 1— ^ r’’ = ax'^ 

Fig. 3. Proof that a: is a g-th residue. 



5 Alternative number-theoretic assumption 

To show the generality of our approach we now present a scheme for which the 
security is related to the difficulty of factoring. Specifically, we present a scheme 
based on the g-th residuosity assumption (as in the original Benaloh schemes). 
The notion of g-th residues is an extension of quadratic residues. A number x 
is a g-th residue modulo N if there exists an a such that q* = x(mod N). ft is 
believed to be hard to distinguish between g-residues and non g-residues. 

This suggests the following homomorphic encryption scheme. We present a 
specific implementation which is suitable to threshold cryptography techniques. 
The parameters of the scheme are a modulus N — PQ, where P = 2P' + 1 and 
Q = 2qQ' + 1, with P,Q,P',Q',q all large primes. As before, the prime q can 
thus be assumed to be larger than twice the number of voters 1. Also the public 
key must include a fixed number Y € which is not a g-th residue modulo N. 

We will consider messages from Z^. The ciphertext for a message m is now 
Ea{m) — where a Z^. As before, decryption is hard, in general, but 

in our case an exhaustive search for all possible values suffices. The right m is 
detected when by computing mod N one gets back 1. Note that 

c' = (.<p{N)/q jy and Y' — mod N can be computed first, and 

then test for c'Y'^, where m is selected from all possible messages. 

Next we discuss a robust threshold cryptosystem for this setting. Notice that 
the value d = (j>{N)lq could be considered the secret key of the scheme, and that 
decryption is carried out by simply computing exponentiations (modulo N) with 
exponent d. As the setting is very similar to an RSA decryption, we can apply 
the result of [GJKR96] to obtain an efficient and robust threshold decryption 
procedure. The result in [GJKR96] holds for RSA moduli which are the product 
of safe primes (i.e., P = 2P' + 1 and Q = 2Q’ + 1), but it can easily be extended 
to work for our specific needs. 

The key generation protocol, however, relies on secure multiparty computa- 
tions as there is no known efficient way to perform a distributed key generation 
algorithm for factoring based schemes. However, since this task is part of the 
set-up of the scheme, this may be acceptable as a one-time operation. 

Our final task is to construct an efficient proof of validity that shows that a 
ballot X is correctly formed. This amounts to showing that x = for some 

a, with V e {1, —1}, hence that either xfY or xY is a g-th residue. As before. 
Lemma 3 below guarantees the existence of an efficient proof of validity, based 
on the construction of [CDS94]. 




114 



Lemma 3. The protocol of Figure 3 is a three-move, public coin proof of knowl- 
edge for r-th residuosity. The proof satisfies special soundness, and is special 
honest-verifier zero-knowledge. 

Proof. Similar to proof of Lemma 1. Special soundness now holds because for 
any two accepting conversations (o, c, r) and (o, c',r'), c > c', it follows that 
{rfr'Y — ■ Since 0 < c ~ c' < q we have that there exist integers k,l s.t. 

(c — c')k = I Iq, hence (r/r')*'' = which yields {{r fr')'‘x~‘y = x. 

Theorem 4. Under the q-th residuosity assumption, our election scheme pro- 
vides universal verifiability, computational privacy, robustness, and prevents vote 
duplication. 



6 Discussion 

6.1 Information-theoretically secure elections 

The scheme of [CFSY96] in principle provides information-theoretic protection 
of the voter’s privacy. This is due to the fact that voters post (a number of) 
information-theoretically hiding commitments to the bulletin board and that 
these commitments are opened to the authorities using private channels. A gen- 
eral problem with such a solution is that the use of private channels opens the 
possibility for disputes: on the one hand a dishonest voter may just skip sending 
a message to an authority, while on the other hand a dishonest authority may 
claim not to have received a message. 

It is therefore worthwhile to limit the possibility for disputes to the set-up 
process for the election. During the election protocol itself no disputes on the 
usage of the private channel should be possible. The idea is to use a public 
broadcast channel (such as a bulletin board) on which the parties post com- 
mitments to mutually selected keys. Each pair of parties first agrees on a key 
using a secure channel. Only if both parties broadcast the same commitment, the 
set-up of the private channel succeeded. Otherwise, there is dispute that must 
be solved at this stage. It is important that (i) the commitment is information- 
theoretically hiding and (ii) the encryption method is information-theoretically 
secure (a one-time pad). More concretely, the two phases are as follows: 

Set-up Both parties agree on a mutually at random selected key K and a com- 
mitment B on this key. Both parties broadcast a signed copy of the commitment. 
The key set-up is only succesful if both parties broadcast the same commitment. 
Disputes in this stage have to be resolved in a procedural way. 

Communication To send a message m, the sender will broadcast the encryption 
E/f (m) over the public channel. Only the intended receiver is able to recover the 
message. 

Using this method, private channels can be set up from each voter Vi to each 
authority Aj. Once set up succeeds there can be no dispute on the use of the 
private channel. Anybody sees if the voter abstains from posting the required 
values to the bulletin board. If what the voter submits consists of incorrect 




115 



shares, the respective authorities open the commitments to the key so that this 
fact can be verified. Note that for the scheme of [CFSY96] the use of the private 
channels is limited to two elements of Z, per channel. 

6.2 Incoercible protocols 

Receipt-free or incoercible election scheme that have been proposed so far all 
rely on some form of physical assumption [BT94, NR94, SK95]. The minimal 
assumption required (as in [SK95]) is the existence of a private channel between 
the voters and the authorities. These schemes allow a voter to lie about the vote 
cast even if under coercion, but not up to the level that coercer who exactly 
prescribe which private random bits the voter must use can be withstood. In- 
deed given the execution of the protocol the voter will be able to create two 
different histories of his computations, both consistent with the execution but 
corresponding to two different votes. All these schemes also require that the au- 
thorities axe incoercible, or alternatively that voters know which ones have been 
coerced. Moreover, as pointed out in the previous section, the use of private 
channels gives rise to disputes. (Another viable approach is to assume that the 
voters dispose of a tamper-proof encryption box such as a smartcard, but we 
consider this beyond the scope of this paper.) 

Recently, Canetti and Gennaro in [CG96] proved that general secure mul- 
tiparty computation protocols can be made incoercible without the above as- 
sumptions, in particular without as.suming untappable channels. Their scheme 
is based on a new type of encryption called deniable encryption introduced in 
[CDN096] that allows a sender to encrypt a bit b in such a way that the resulting 
ciphertext can be “explained” as either 6 or 1 — 6 to a coercer. The construction 
in [CG96] works for the general problem of secure multi-party computation; as 
such it is described in terms of a complete network of communication and the 
result holds as long as at most half of the players in the network are coerced. For 
the case of election schemes, the construction of [CG96] can be scaled down to 
the bulletin board model (thus not requiring communication between voters). In 
this model all voters can withstand coercion provided the coercer is not able to 
prescribe the random bits of the voters, and at most half of the authorities can 
be completely coerced. The complexity of the resulting scheme is high (although 
polynomial), but opens the door to the search for efficient incoercible schemes. 

In order to make our election scheme incoercible (without physical assump- 
tions) we would need a deniable encryption scheme which is (i) homomorphic, 
(ii) suitable to threshold cryptography techniques. An interesting open problem 
is thus to construct such a scheme- 



6.3 Proactive Security 

The secrecy of the votes is protected against coalitions of up to t — 1 authorities. 
In other words, an attacker must recover t shares of the private key in order to 
be able to decrypt single votes. This is similar to previous protocols in which the 
vote is (t,n)-shared among the authorities. We note that the use of threshold 
cryptography instead of secret sharing presents also some advantages in this 
area. Using proactive security techniques (see [HJKY95, HJJ+97, FGMY96]) it 




116 



is possible to leave the public key of the system in place for a really long time 
without fearing it being compromised. Indeed, when using proactive schemes the 
shares of the private key are periodically “refreshed” so that an attacker is forced 
to recover t shares in one single period of time that can be as short as a day. 
Both schemes presented in this paper can be made proactive, the discrete-log 
based one using the techiniques in [HJJ+97] and the factoring one by adapting 
the work of [FGMY96]. The idea is that the authorities run the key generation 
protocol every day at midnight, say, but now sharing a zero value. The new 
shares are added to the old shares of the secret key s. The resulting shares still 
interpolate to s (since the free term of the polynomial is unchanged) but lie on 
an otherwise different polynomial. 



7 Concluding remarks 

We have shown a very efficient scheme for secure elections based on the discrete 
log assumption, and a somewhat more complicated scheme based on the 7 -th 
residuosity assumption. The new schemes satisfy all well-known requirements, 
except for receipt-freeness. An open problem is to construct efficient incoercible 
election protocols, preferably without relying on physical assumptions. 

In our scheme the work for the voter is minimal and independent of the 
number of authorities. Election schemes based on the mix channel of [PIK94] 
also have this property but for several reasons our approach is preferable over 
those schemes. In mix-based schemes the final tally is computed by somehow 
decrypting the individual ballots, while in our approach a single decryption of 
the aggregate of the ballots suffices. In mix-based schemes disrupters may submit 
invalid ballots which are detected only after decryption has taken place; in our 
scheme disruption by voters is automatically prevented because of the required 
proof of validity for ballots. Another important difference is that due to the use 
of a threshold cryptosystem we achieve robustness in a stronger sense. Indeed in 
mix-based schemes the failure of a single authority would compromise the whole 
protocol. In our case we can tolerate malicious behavior of a constant fraction 
(half) of authorities. Finally, the security of our scheme can be proven from its 
construction, while some security problems with the schemes of [PIK94, SK95] 
exist, as shown for instance in [Pfi95, MH96]. 

We would like to emphasize that the work for the voter is really low. For ex- 
ample, for the discrete log scheme, we have for |p| = 64 bytes and \q\ = 20 bytes, 
that the size of the ballot plus its proof plus a signature on it is only 272 bytes 
in total. Clearly, this is an order of magnitude better than [CFSY96], which was 
already two orders of magnitude better than any previous scheme. Furthermore, 
computation of the ballot and its proof require a few exponentiations only (see 
Figure 2). A direct consequence of the reduced ballot size is also that the task 
of verifying the final tally is much simpler. 

References 

[Ben87] J. Beiialoh. Verifiable Secret-Ballot Elections. PhD thesis, Yale University, 
Department of Computer Science Department, New Haven, CT, September 
1987. 




117 



[BT94] J. Benaloh and D. Tuinstra. Receipt-free secret-ballot elections. In Proc. 

26th Symposium on Theory of Computing (STOC ’94), pages 544-553, New 
York, 1994. A.C.M. 

[BY86] J. Benaloh and M. Yung. Distributing the power of a government to en- 
hance the privacy of voters. In Proc. 5th ACM Symposium on Principles of 
Distributed Computing (PODC ’86), pages 52-62, New York, 1986. A.C.M. 

[CDN096] R. Canetti, C. Dwork, M. Naor, and R. Ostrovsky. Deniable encryption, 
1996. Manuscript. 

[CDS94] R. Cramer, I. Damgard, and B. Schoenmakers. Proofs of partial knowl- 
edge and simplified design of witness hiding protocols. In Advances in 
Cryptology — CRYPTO ’94, volume 839 of Lecture Notes in Computer Sci- 
ence, pages 174-187, Berlin, 1994. Springer- Verlag. 

[CF85] J. Cohen and M. Fischer. A robust and verifiable cryptographically secure 
election scheme. In Proc. 26th IEEE Symposium on Foundations of Com- 
puter Science (FOCS ’85), pages 372-382. IEEE Computer Society, 1985. 

[CFSY96] R. Cramer, M. Franklin, B. Schoenmakers, and M. Yung. Multi-authority 
secret ballot elections with linear work. In Advances in Cryptology — 
EUROCRYPT ’96, volume 1070 of Lecture Notes in Computer Science, 
pages 72-83, Berlin, 1996. Springer- Verlag. 

[CG96] R. Canetti and R. Gennaro. Incoercible multiparty computation. In S7th 
IEEE Symposium on Foundations of Computer Science (FOGS’ 96), 1996. 
To appear. 

[Cha81] D. Chaum. Untraceable electronic mail, return addresses, and digital 
pseudonyms. Communications of the ACM, 24(2);84-88, 1981. 

[Cha91] D. Chaum. Zero-knowledge undeniable signatures. In Damgaid, editor, 
Advances in Cryptology — EUROCRYPT ’90, volume 473 of Lecture Notes 
in Computer Science, pages 458-464, Berlin, 1991. Springer- Verlag. 

[CP93] D. Chaum eind T. P. Pedersen. Wallet databases with observers. In Ad- 
vances in Cryptology — CRYPTO ’92, volume 740 of Lecture Notes in Com- 
puter Science, pages 89-105, Berlin, 1993. Springer- Verlag. 

[CP95] L. Chen and T. P. Pedersen. New group signature schemes. In Advances in 
Cryptology — EUROCRYPT ’94, volume 950 of Lecture Notes in Computer 
Science, pages 171-181, Berlin, 1995. Springer- Verlag. 

[Des94] Y. Desmedt. Threshold cryptography. European Transactions on Telecom- 
munications, 5(4):449~457, 1994. 

[DH76] W. DiffieandM. E. Heilman. New directions in cryptography. IEEE Trans- 
actions on Information Theory, 22(6):644-654, 1976. 

[E1G85] T. ElGamal. A public-key cryptosystem and a signature scheme based 
on discrete logarithms. IEEE Transactions on Information Theory, IT- 
31(4);469-472, 1985. 

[FGMY96] Y. ftankel, P. Gemmell, P. McKenzie, and M. Yung. Proactive RSA, 1996. 
Manuscript. 

[FS87] A. Fiat and A. Shamir. How to prove yourself: Practical solutions to iden- 
tification and signature problems. In Advances in Cryptology — CRYPTO 
’86, volume 263 of Lecture Notes in Computer Science, pages 186-194, New 
York, 1987. Springer- Verlag. 

[Gen95] R. Gennaro. Achieving independence efficiently and securely. In Proc. 14th 
ACM Symposium on Principles of Distributed Computing (PODC ’95), New 
York, 1995. A.C.M. 

[GJKR96] R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin. Robust and efficient 
sharing of RSA functions. In Advances in Cryptology — CRYPTO ’96, vol- 
ume 1109 of Lecture Notes in Computer Science, pages 157-172, Berlin, 
1996. Springer- Verlag. 




118 



[HJJ+97] 

[HJKY95] 

[LL90] 

[MH96] 

[NR94] 

[Ped91] 

[Ped92] 

[Pfi95] 

[PIK94] 

[PW92] 

[Rab83] 

[Rei94] 

[Rei95] 

[Sch91] 

[Sha79] 

[SK94] 

[SK95] 



A. Herzberg, M. Jakobsson, S. Jarecki, H. Krawczyk, and M. Yung. Proac- 
tive public-key and signature schemes. 4th Annual Conference on Computer 
and Communications Security, 1997. To appear. 

A. Herzberg, S. Jarecki, H. Krawczyk, and M. Yung. Proactive secret shar- 
ing, or: How to cope with perpetual leakage. In Advances in Cryptology — 
CRYPTO ’95, volume 963 of Lecture Notes in Computer Science, pages 
339-352, Berlin, 1995. Springer- Verlag. 

A. K. Lenstra and H. W. Lenstra, Jr. Algorithms in number theory. In 

J, van Leeuwen, editor. Handbook of Theoretical Computer Science, pages 
673-715. Elsevier Science Publishers B.V., Amsterdam, 1990. 

M. Michels and P. Horster. Some remarks on a receipt-free and univer- 
sally verifiable mix-type voting scheme. In Advances in Cryptology 
ASIACRYPT ‘ 94 ., volume 1163 of Lecture Notes in Computer Science, pages 
125-132, Berlin, 1996. Springer- Verlag. 

V. Niemi and A. Renvall. How to prevent buying of votes in computer 
elections. In Advances in Cryptology —ASIACRYPT ’94, volume 739 of 
Lecture Notes in Computer Science, pages 141-148, Berlin, 1994. Springer- 
Verlag. 

T. Pedersen. A threshold cryptosystem without a trusted party. In Ad- 
vances in Cryptology — EUROCRYPT ’91, volume 547 of Lecture Notes in 
Computer Science, pages 522-526, Berlin, 1991. Springer- Verlag. 

T. P. Pedersen. Distributed Provers and Verifiable Secret Sharing Based on 
the Discrete Logarithm Problem. PhD thesis, Aarhus University, Computer 
Science Department, Aarhus, Denmark, March 1992. 

B. Pfitzmann. Breaking an efficient anonymous channel. In Advances in 
Cryptology— EUROCRYPT ’94, volume 950 of Lecture Notes in Computer 
Science, pages 332-340, Berlin, 1995. Springer- Verlag. 

C. Park, K. Itoh, and K. Kurosawa. Efficient anonymous channel and 
all/nothing election scheme. In Advances in Cryptology — EUROCRYPT 
’93, volume 765 of Lecture Notes in Computer Science, pages 248-259, 
Berlin, 1994. Springer- Verlag. 

B. Pfitzmann and M. Waidner. Unconditionally untraceable and fault- 
tolerant broadcast and secret ballot election. Hildesheimer inforrnatik- 
berichte, Institut fiir Informatik, May 1992. 

M. Rabin. Transaction protection by beacons. Journal of Computer and 
System Sciences, 27(2):256-267, 1983. 

M. Reiter. Secure agreement protocols: Reliable and atomic group multi- 
cast in Rampart. 2nd ACM Conference on Computer and Communications 
Security, Fairfax, November 1994. 

M. Reiter. The Rampart toolkit for building high-integrity services. In 
Theory and Practice in Distributed Systems, volume 938 of Lecture Notes 
in Computer Science, pages 99-110, Berlin, 1995. Springer- Verlag. 

C. P. Schnorr. Efficient signature generation by smart cards. Journal of 
Cryptology, 4(3);161-174, 1991. 

A. Shamir. How to share a secret. Communications of the ACM, 
22(11):612-613, 1979. 

K. Sako and J. Kilian. Secure voting using partially compatible homomor- 
phisms. In Advances in Cryptology — CRYPTO ’94, volume 839 of Lecture 
Notes in Computer Science, jiages 411-424, Berlin, 1994. Springer- Verlag. 
K. Sako and J. Kilian. Receipt-free mix-type voting scheme — a practi- 
cal solution to the implementation of a voting booth. In Advances in 
Cryptology — EUROCRYPT ’95, volume 921 of Lecture Notes in Computer 
Science, pages 393-403, Berlin, 1995. Springer- Verlag. 




Binding ElGamal: A Fraud-Detectable Alternative 
to Key-Escrow Proposals 



Eric R. Verheul*’^ and Henk C.A. van Tilborg^ 

^ Ministry of the Interior, P.O. Box 20010, 2500 EA, The Hague, The Netherlands. 

Eric . Verheul@pobox.com 

^ Depeirtment of Math, and Comp. Sc., P.O. Box 513, Eindhoven University of 
Technology, 5600 MB, Eindhoven, The Netherlands, henkvt@win.tue.nl 



Abstract. We propose a concept for a worldwide information security 
infrastructure that protects law-abiding citizens, but not criminals, even 
if the latter use it fraudulently (i.e. when not complying with the agreed 
rules). It can be seen as a middle course between the inflexible but fraud- 
resistant KMI-proposal [8] and the flexible but non-fraud-resistant con- 
cept used in TIS-CKE [2]. Our concept consists of adding binding data to 
the latter concept, which will not prevent fraud by criminals but makes 
it at least detectable by third parties without the need of any secret infor- 
mation. In [19], we depict a worldwide framework in which this concept 
could present a security tool that is flexible enough to be incorporated 
in any national cryptography policy, on both the domestic and foreign 
use of cryptography. Here, we present a construction for binding data for 
ElGamal type public key encryption schemes. As a side result we show 
that a particular simplification in a multiuser version of ElGamal does 
not affect its security. 

Key words ElGamal, Traceable ElGamal, Key Escrow, Key Recovery 

1 Introduction 

We’ll briefly summarize the technical position taken in [19]. A robust, worldwide 
information security infrastructure (ISI) must be set up which includes a Key 
Management Infrastructure which will (likely) be based on public key cryptog- 
raphy. Proper certification of public keys will be a crucial (and elaborate) service 
within this ISI. However, the unconditional use of encryption by criminals poses 
a threat to law enforcement, a problem that is hard to solve. Consequently, most 
governments feel that they have to realize two tasks. The first is to stimulate the 
establishment of an ISI which protects the legitimate interests of all relevant par- 
ties (businesses, governments, citizens), but which does not aid criminals. The 
second task is to cope with the use of other encryption techniques by criminals. 
How to achieve the second goal is outside the scope of this contribution, but 
it is our feeling that an ISI, that is widely accepted and trusted, will make it 

* Views expressed here are personal and not necessarily shared by my employer. 



W. Fumy (Ed.): Advances in Cryptology - EUROCRYPT ’97, LNCS 1233, pp. 1 19-133, 1997. 
© Springer-Verlag Berlin Heidelberg 1997 




120 



easier to achieve the second task. We also feel that without strong cooperation 
of governments such a widely accepted and trusted ISI will never be established 
at all. In this paper we address a construction of a reliable ISI, which does not 
aid criminals. 

In public key encryption (pke) encrypted messages - ideally - consist of two 
components; 

Cl. The (actual) message M encrypted with a symmetric system, using a ran- 
dom session key S. 

C2. The session key S encrypted using the public key(s) of the addressee(s). 

A straightforward method to prevent facilitation of criminals is outlined in the 
U.S. -government (draft) Key Management Infrastructure (KMI) proposal [8]. 
Here, participating users have to deposit their private keys with a private-sector 
Trusted Recovery Party (TRP).^ When a law-enforcement agency (LEA), that 
has obtained legal authority to access a user’s communication, strikes upon data 
encrypted within this scheme, the TRP will “relinquish information sufficient to 
access” these data. One of the problems mentioned in [19], is that the scheme 
is inflexible in an international context: in order to let the principle work for 
any country, every participating country - irrespective of its national policy on 
cryptography - has to escrow the private keys of its users also. Also, international 
cooperation of a TRP with a LEA outside the country of the TRP might be 
difficult and time-consuming. Although the latter problem is resolved in the 
“Royal Holloway” variant [11] of this scheme, it can be argued that the resulting 
flexibility here is not better than that of the KMI-proposal. Compare [1]. 

A more flexible method to prevent facilitation of criminals consists of virtual 
addressing session keys to Trusted Recovery Parties (see, for instance, the TIS 
Commercial Key Escrow [2]). In this scheme, participating users agree to add a 
third component to an encrypted message; 

C3. The same session key 5 encrypted using the public key(s) of one or more 
Trusted Recovery Parties. 

In effect, any TRP is treated as a virtual addressee, although the message is not 
sent to it. When a LEA is conducting a lawful intercept and strikes upon an 
enciphered message, they take the information component of one of the TRP’s 
to that TRP. If shown an appropriate warrant, the TRP decrypts ( “recovers” ) 
the information component and (only) hands over the session key 5, so that the 
LEA agency can access the message. 

This concept has been the base of several escrow products (Translucent Cryp- 
tography, AT&T Crypto Backup, RSA secure). Observe that users do not have 
to deposit secret key information to TRP’s beforehand. This makes this approach 

® We use the notion “Trusted Recovery Party” as it forms a combination of the (recent) 
U.S. notion “recovery” (replacing “key-escrow”) and the European notion “Trusted 
Third Party” . 




121 



more feasible (and acceptable to users) than the KMI-proposal; an important 
advantage as - also pointed out in the study of the National Research Council 
(NRC) [14, p.329] - feasibility of key-recovery solutions is a significant issue. We 
remark that one could incorporate information in the session key identifying the 
sender (as is done in TIS-CKE). However, as this, in principle, makes possible a 
(partially) known-plaintext attack (cf. [4]) one should be careful with this. 
Although this concept is very flexible (see below), its main drawback is that 
it offers no possibility, at least for others than the TRP, to check whether the 
third component actually contains the (right) session key; moreover the TRP 
can only discover “fraud” (i.e. not complying with the agreement) after a lawful 
wiretap. Hence, by sending noise instead of a third component unilateral abuse 
(i.e. without help of the addressee) is easily possible. This can be prevented in 
the software of the addressee by a recalculation and validation of C3 prior to 
decryption. However, abuse by colluding of a sender and receiver - through a 
one-time manipulation of this validation in software - is still easily possible. So 
the solution is almost entirely unenforceable. According to the NRC-study [14, 
p.214] U.S. senior Administration officials have said that this matter is the reason 
for the limitation to (only) 64 bits in the (draft) 1995 U.S. Key Escrow Export 
Criteria for cryptographic applications in software: “the limitation to 64 bits is a 
way of hedging against the possibility of finding easily proliferated ways to break 
the escrow binding built into software, with that result that U.S. software prod- 
ucts without effective key escrow would become available worldwide”. On the 
other hand, it is noted in the NRC-study [14, p.211] that a recovery encryption 
product does not have to be perfectly resistant to breaking the recovery binding: 
it should only be more difficult to bypass the recovery features than to build a 
system without recovery. 

In [19] we looked for a middle course between the inflexible but fraud-resistant 
KMI-proposal and the flexible but non-fraud-resistant virtual addressing. We 
found one by not preventing colluding of sender and receiver, but by making it 
at least detectable by third parties without having access to secret (key) informa- 
tion. More specifically, we proposed the binding alternative, which adds a fourth 
component to the encrypted message: 

C4. Binding data. 

The idea is that any (third party) monitor, e.g., a network or (Internet) ser- 
vice provider, who has access to components C2, C3, and C4 (but not to any 
additional secret information) can determine that the session keys encrypted in 
components C2 and C3 coincide but it can not determine any information on 
the actual session key S. In this way, fraud is easily detectable (and punishable). 
Metaphorically speaking, binding data consists of equipping public-key encryp- 
tion schemes used for confidentiality with a metal detector, as used at boarding 
gates on airports. 

The binding concept supports the virtual addressing of session keys to several 
TRP’s (or none for that matter), for instance, one to a TRP in the country of the 
sender S and one in the country of the addressee A. Note that this can be easily 




122 



implemented; S’s software can (once) be adjusted to the public key of S’s TRP; 
the public key of A’s TRP can be part of A’s (certified) public key. The solution 
therefore offers the same advantage for worldwide usability as [11]. We also 
remark that the binding concept also supports the functionality of controllable 
key splitting in the sense of Micali [13], even in several fashions. For instance, 
the private TRP key can be splitted in several parts and be deposited at several 
sub-TRP’s. It turns out that the ElGamal system very conveniently supports 
the splitting and the reconstruction of private keys (see the end of Section 2). 
Finally, we remark that the time-boundedness condition (cf. [12, p.l99]), i.e. 
the condition that time-limits on warrants can be enforced, can be fulfilled by 
additionally demanding that encrypted information (or all components) be time- 
stamped and signed by the sender. These can be easily verified by any third party 
monitor as well. A much simpler solution is to let the time be an (unencrypted) 
part of the message and to incorporate it in the binding data (as indicated in 
Section 4). 

An additional feature could prevent the threat of the “tempted policemen” This 
tempted policemen might conspire with a criminal and have the criminal resent 
(or “receive”) an unrelated, highly confidential business message intercepted by 
the policemen. The TRP, thinking the message originated from the (wiretapped) 
criminal, would assist the policemen in decrypting. In the binding scheme, this 
can be prevented by additionally requiring senders to virtually address the ses- 
sion key to themselves as well. The TRP could check this component before 
assisting a law-enforcement agency, and monitors could check on compliance. 
Incidentally, this feature can also solve similar problems in TIS-CKE and in the 
U.S. KMI-proposal. In the latter, it also overcomes the problem of international 
communications: the TRP has got the private key of the sender and can there- 
fore recover the session key. Thus, binding cryptography can also benefit other 
proposals. 

In [19], we depict a general framework in which the binding concept (as general 
notion) could present a security tool that is flexible enough to be incorporated 
in any national cryptography policy, for both the domestic and foreign use of 
cryptography, and that offers a flexible choice of trust for users. Here, we present 
a construction for binding data for the ElGamal type of pke schemes; this is par- 
ticularly interesting as on 29 April 1997, ElGamal will no longer be encumbered 
by patents in the U.S.. 

A difficulty one faces in the construction of binding data for a pke scheme, 
apart from the binding data itself, is finding a suitable multiuser extension of it, 
allowing the secure (!) encryption of exactly the same session-key (i.e. including 
“padding” data) with different public keys. For the RSA scheme, for instance, 
this presents a problem (cf. [10]). In Section 2 we will introduce a secure multi- 
user extension of ElGamal. Section 3 deals with proving knowledge of equality of 
certain logarithmic values. Section 4 presents the construction of binding data 
techniques for ElGamal’s protocol. Finally, many of the constructions for the 
ElGamal scheme can be extended to Desmedt’s traceable variant of ElGamal 
([6]). We will sketch some of these extensions in Appendix B. 




123 



2 The Multiuser ElGamal Encryption Scheme 

The ElGamal [7] pke system makes use of a subgroup G of a multiplicative, 
cyclic group H in which the discrete logarithm problem is intractable. Let q be 
the order of G and let 9 be a generator of G. The elements g,G, and H are given 
to all participants by an Issuing Party (IP). We will not further specify G,H, 
but in a typical example H is the multiplicative group of Z/pZ for a (large) 
prime p and G = H. 

To participate in the system, each participant P chooses his own secret key xp 
(a random number less than q) and publishes his (certified) public key yp = 
gxp g G. If a person, say Ann, wants to encrypt a message S £ H meant for 
participant Bob, she chooses a random number k less than q and sends the pair 
(t, u) = y%ob ' *0 Bob. When Bob receives (t, u) he just calculates 

to find S back. 

We focus on the following multiuser extension of ElGamal, 

Definition 2.1 In the Multi-ElGamal protocol, participant P, when going to en- 
crypt message S £ H for n participants with public ElGamal keys 3/1, 1/2, ■ ■ ■ ,2/m 
will generate a random number k less than q and send pair {g^ ,yf ■ S) to the i-th 
participant, 1 <i <n. 

The question that arises of course is whether Multi-ElGamal is less secure than 
choosing a different k for each participant (which is less efficient). We shall show 
it is not. 

The following terminology is convenient. Let g be an element oi G, y an element 
of the cyclic group < g > generated by g, S £ H and k £ Z/gZ. Then the 
4-tuple {g,y,g'°,y'‘ • 5) is called an encryption of g,y,k,S and will be denoted 
by [S) 3/j -S']. The elements k,S,\oggy will be called the secret (or unknown) 

components of the encryption. 

Lemma 2.2 Let [g,yp, ki, Si], 1 < i < h, be a sequence (“history”) of encryp- 
tions for user P. Then anyone can construct a second sequence of encryptions 
[g,y,ki,Si], 1 < i < h, with y random in G (but with the same ki’s and Si’s) 
such that the computation o/logg(yp) is as difficult as that ofloggp. 

Proof: For i = 1,2, .. . ,/i, denote {g'^',yp*'' - Si) by [Ai,Bi). Let i be one of 
1,2,. . . ,/i. Choose j randomly in ZfqZ, and compute C — g^ , Di = (A,)^ and 
y = yp ■ C. First of all, we observe that y = So y is a random element in 

<g>=G. 

Now {g,y,Ai,Bi ■ Di) can be computed. We shall prove that it is indeed an 
encryption [g,y,ki,Si\. To this end the only condition that needs to be verified 
is Bi ■ Di = y^' ■ Si- This follows from; 

B,-Di = yfi ■ Si ■ . 5, = ■ S. 



Finally, we observe that log^ y = log^ yp + j, so log^ (yp) can be determined 
directly from log^ y and vice versa. □ 




124 



Theorem 2.3 Let n be a natural number. Then breaking Multi-ElGamal for n 
addressees is as difficult as breaking ElGamal. 

Proof: Clearly, aay algorithm that breaks ElGamal also breaks the Multi-version 
of it. So, only the implication the other way around needs to be shown. Suppose 
there exists an efficient algorithm A that on input of n sequences of h Multi- 
ElGamal encryptions (in the i-th encryption, I < i < h, the same message Si 
has been sent to all n users - with random public keys - using the same random 
number fcj) has a non-negligible chance of outputting (all) secret information. 
Now let a sequence of ElGamal encryptions for a participant P be given, say 
[Si y>ki,Si] for i = 1,2,..., h. Then by the first part of Lemma 2.2 we can con- 
struct a sequence of outputs of a Multi-ElGamal encryption with n participants 
using the same ki and St: the public keys of the participants will be random 
and the secret key of P follows from any of the secret keys of the participants. 
Combining this output with A we obtain an algorithm B, as efficient as algo- 
rithm A, which breaks the ElGamal encryptions for participant P with the same 
non-negligible chance. □ 

Using the ideas of [13], the ElGamal scheme can very conveniently support the 
construction of public keys in which the secret key is secretly shared among n 
share-holders (TRP’s in our situation) in an n out of n secret sharing scheme. 
Suppose all share-holders have chosen a secret key xt less than q and have pub- 
licized the resulting ElGamal public key i/< = g^'. Then, their product denoted 
by y, will be the shared public key. Observe that the associated secret key x is 
given by log^y = The ElGamal encryption {g^,y^ ■ S) = (A, B) of a 

message S with respect to the public key y, can be decrypted by a third party 
(a LEA in our situation) by first asking the i-th share-holder to return Ai = A®' 
and then to calculate S by B/ n"=i Observe that the share-holders do not 
have to come together and explicitly reconstruct the secret. If, in our situation, 
many TRP’s have publicized their public key, then users themselves can choose 
the share-holders (they trust) and form the resulting public key. 

By following Pedersen [15], [16] one can, for any 1 < fc < n, construct an 
ElGamal public key y = g^ m which the secret key x is shared in a A: out of n 
secret sharing scheme as the constant term of a polynomial / of degree fe — 1. 
Also, shareholders can verify the validity of their share. In [15] a (trusted) dealer 
is required to construct /. In [16] / is interactively and securely constructed by 
the share-holders themselves (in our situation, for instance on request of a user). 
As a dealer forms a single point of failure, the latter construction is preferred in 
our situation. As above, one can construct a protocol (also used in [5]) in which 
a third party (a LEA in our situation) can decrypt an ElGamal encryption 
{g^,y^ ■ S) = (A, B) of a message S without the share-holders need to come 
together and explicitly reconstruct their secret. More precisely, consider k share- 
holders in the scheme with public computable Oi, ..., a*, and shares si, ..., Sk (see 
[15, p.223]). Then the party first asks the f-th share-holder to return Ai = A"' 
and subsequently determines 5 by calculating B/ A;“h We note that for 
k = n, the earlier mentioned scheme is more efficient. 




125 



3 A proof of knowledge on the equality of logarithms 

The following result seems to be part of the mathematical “folklore” , but for the 
sake of completeness a proof is given in Appendix A. The result is an extension of 
the Chinese Remainder Theorem in the situation that not necessarily all moduli 
are relatively prime in pairs. 

Proposition 3.1 Let Ui, 6 , for i — 1, 2, . . . , n, be integers and let Cj denote the 
cosets Ui + {bi) in Z, where (bi) stands for biZ. Then the following assertions are 
equivalent: 

1. The intersection of all Ci ’s is non-empty and can be written as 
y + (lcm(i»i, 62 , . . . , bn)) for some integer y. 

2. Every pair of Ci ’s has a non-empty intersection. 

3. gcd{bi,bj) divides Oi — aj for all 1 < i ^ j < n. 

Now consider elements gi,g 2 , ■ ■ ■ ,gn (not necessarily distinct) in G. Suppose 
that person P (for prover) gives hi,h 2 , ■ ■ ■ ,hn € G to person V (for verifier) and 
states: 

S. There exists a number 0 < k < q, such that for all 1 < i < n 

= hi, ( 1 ) 

or equivalently, there exists a number 0 < k < q, simultaneously satisfying: 

k = \ogg.hi (mod ord(^i)). ( 2 ) 

where the “ord” of a group element stands for its multiplicative order. Note that 
if all Qi are generators then all logg. hi will coincide. 

The following protocol lets P prove statement S without revealing anything 
about k\ it is inspired by the authentication schemes of Schnorr [17] and Guillou- 
Quisquater [9j. Moreover, it is an extension of a signature scheme introduced by 
Chaum and Pedersen in [3] (an anonymous referee is thanked for this reference). 
In this protocol a positive integer v occurs, that will be called the confidence 
level of the protocol. We will demand that this number satisfies; 

V < min{u' | u' > 1 and, for some i j, 

v' divides both ord(p<) and ord(flj) }. (3) 

Note that the smallest prime factor of g = [Gj is a lowerbound for u; equality 
holds if all pi are generators of G. As a large v is desired, q should not have small 
prime factors. 

Protocol 3.2 

1. P generates a random number I less than q, calculates o; = g\ for 1 < * < n 
and hands the Oj ’s over to V. 




126 



2. V generates a random 0 <w <v and presents w as a challenge to P. 

3. P calculates z = w ■ k + I (mod q) and hands z over to V. 

4- V verifies for alll <i <n that gf = hf -ai- If so, V will accept S, otherwise 
he rejects it. 

We will now show that this protocol satisfies the following properties: 

Completeness If statement S is true, then V will accept it. 

Soundness If S is not true, then with a probability less than 1 fv (so small) it 
will still be accepted by V. 

Security If S is true, then V can not learn secret information on k by following 
the protocol. 

The verification of the first property is straightforward. For the verification of 
Soundness, suppose that equality (2) does not hold, so there is no common 
solution to the n congruences in (2). Then, by Proposition 3.1, there exist 1 < 
i ^ j < n such that gcd(ord(pj), ord( 5 j)) does not divide log^. hi - log^^ hj. 
Let D denote the greatest common divisor of the latter two numbers, and let 
v' = gcd(ord(gi),ord(gj))/£). Now, although P has (some) freedom in choosing 
logg, hi prior to the protocol, and log^^ a* in the first step of the protocol, he has 
to come up with a number z in the third step satisfying for all i, 1 < i < n, and 
for all (or at least sufficiently many) w, 0 < w < v: 

z = w- logj, hi + logg, ai (mod ord(c;i)). 

The i-th and j-th congruences above (resp. modulo ord( 3 ,) and ord(pj)) will also 
hold modulo the common factor gcd(ord(pi),ord(gj)), yielding: 

w ■ logg. hi + logj, ai=w- logg. hj + log^^ aj (mod gcd{oTd{gi),OTd{gj))). 

As (logg. hi — logj^ hj)jD is relatively prime with v', w is uniquely determined 
modulo v'. Hence the probability that V chooses the “right” w (in V’s opinion) 
is equal to 1/v' which is less than or equal to 1/v. 

Finally, as an argument for Security, we assume that both P and V really choose I 
resp. w randomly. Observe that it is in P’s best interest to do so: more uncertainty 
on I will give more uncertainty on A: to V in the third step of the protocol. Now 
we will proceed with the standard zero-knowledge argument: we will show that 
V can generate a typical transcript (ai , . . . , a„; w, z) of the protocol himself, i.e. 
without communicating with P. To this end, V can choose w and at random 
and evaluate Uj, 1 < i < n, such that they satisfy gf = hf ■ Ui. Then it easily 
follows - provided P’s statement is correct - that Ui = g\ for I = z — k ■ w. 

Note that for Security it is required that the verifier follows the protocol, i.e. 
the verifier must choose his challenges w in a random way. Although intuitively 
clear, we can not prove that V learns no secret information by deviating from 
the protocol by choosing his challenges in a non-random way (cf. [3]). In the 
terminology of [18, Ch. 13] the above proof system for equality of logarithms is 
perfect zero-knowledge for an honest verifier, but we do not know whether it is 




127 



perfect zero-knowledge without qualification, i.e. for any (dishonest) verifier. In 
our application of it in Section 4 we will enforce the verifier to be honest, i.e. to 
choose his challenges in a random way, thereby ensuring security. 

We remark that the verification in the fourth step of the protocol can be rewritten 
9i ■ ^7^ — "^he use of data in the protocol can be reduced if P hands over 
the hash values Hi = H{ai) of the Oi - for some secure hash function H{.) 
- instead of the Oj themselves. The verification step in the fourth step of the 
protocol then becomes; 



H{gt • = Hi. (4) 

A similar technique is employed in the U.S. Digital Signature Algorithm. To 
achieve the same level of security the number of bits in the output of the hash 
should not be less than log 2 (u). 

4 Binding the ElGamal Encryption Scheme 

In this section we will present a construction for binding the ElGamal schemes 
using the multiuser extension discussetl in Section 2. We shall do this with a 
(detailed) illustration, in which we will use the notation of Section 2. We will 
also make use of a conventional symmetric cipher E{.) and of a public one-way 
(hash) function H{.). 

Suppose that Ronald from America wants to send a confidential document D to 
Margaret in Britain using a (government supported) Public Key Infrastructure 
(PKI) that incorporates binding ElGamal. Part of the PKI-policy is the choice of 
a confidence parameter v. the probability that binding data are accepted while 
the values of S sent to B and the TRP differ should be less than 1/u. We assume 
that the parameters of the ElGamal system are chosen such that inequality (3) 
holds, that is q has no prime factors less than v. Now suppose that the national 
PKI-policy of America (resp. Britain) states that Ronald has to virtually address 
his messages to an American TRP (resp. a British TRP) . Also suppose that the 
American PKI-policy allows the use of “splitted” public keys as explained at the 
end of Section 2. Let TRPai,TRPa 2 respectively TRPb be Trusted Recovery 
Parties from respectively America and Britain that Ronald trusts and chooses; 
TRPai,TRPa 2 together form TRPa. Let the splitted secret keys and public 
keys of TRPa, , TRPaj be respectively denoted by xa^ i , VAi , Va^ . the shared 
secret key and public key (of TRPa) will be denoted by xa{= + ^A^) 3nd 
?/^(= VAi ■ VA-i)- Also, the secret key and public key of TRPb will be denoted 
respectively by a;B and j/b. Finally, the secret and public key of Margaret will 
be simply denoted by x and y. 

Ronald chooses a random k <q and a session key S £ H and sends the following 
data-block to Margaret: {E,C,RM,RA,H,B 7 bind) where: 

Cl. E = Es{D): the document encrypted by E under session key S. 

C2. (C, Rm) = ■ S)\ the session key S enciphered with Margaret’s public 

key; 




128 



C3. {C,Ra) = {g^,yA ■ {C,Rb) - ■ ^)- the session key S enciphered 

with the public keys of resp. TRPa and TRPb- 
C4. bind. 

First observe that if Ronald uses the scheme correctly, then Margaret can deter- 
mine S by calculating Rm/C^', TRPb can offer 5 to a British LEA by calculating 
Rb/C^‘^- An American LEA can ask TRPai (resp. TRPaj) to calculate C®'*i 
(resp. and then calculate S by RaHC^'*^ • This is just an appli- 

cation of the multiuser ElGamal scheme which we showed to be as secure as the 
original ElGamal scheme. 

Now we come to the construction of the binding data bind. Observe that the 
three numbers C, Ra/ Rm, Rb/ Rm are respectively equal to g'^,{yA/y) , and 
{ysly)^^ that is, they are equal to the group elements g,yAly,yBlv raised to 
the same power k. Hence, k can be viewed as the solution of the equality: 

= (yA/yr = RAlRM , iya/yr = Rb/Rm- (5) 

Now suppose we know that equality (5) has a solution k'. Given that the C and 
Rm are formed correctly (they are meant for Margaret to decrypt the message 
using ElGamal) . It follows that = {vaIv)^' -Rm = {VA/y)^ -y^ -S = (i/a)* -S- 
That is, (C, Ra) is a well-formed ElGamal encryption of the same S for TRPa- 
A similar conclusion holds for TRPb- 

We conclude that to construct binding data for the ElGamal scheme one only 
has to construct data which shows that (5) has a solution. For this one would like 
to use a non-interactive version of Protocol 3.2. To this end, Ronald generates 
a random j < q and forms bind = {D,F,I,z), where D = y^, F = {yA/yY, I — 
{yB/vV and z = w-k + j (mod q), where u; < u is the result of letting the one- 
way function H{.) work - in a fixed, public way - on E,C.,Rm^Ra^Rb,D,F,I 
and possibly other public data such as Margaret’s full identity and the date/time. 
In effect, w can not be predicted by Ronald beforehand and behaves like the 
random challenge in Protocol 3.2, Step 2. 

Now by Protocol 3.2 anybody who has access to Rm , Ra ,Rb, bind and the public 
keys of Margaret, TRPa, and TRPb can determine that (5) has a solution by 
first calculating tv and then by verifying that 

= ; {yAlyy = {RAlRMr-F ; [yB/yY = [Rb! RmT ■ I- (6) 

The probability that this verification gives the wrong answer is less than Ijv. 

As explained at the end of Section 3, one can use hashes of £>, F, I in bind instead. 
The involved binding data can then be reduced to approximately the length of 
q. Observe that this technique can be generalized to the situation where more 
than two TRP’s are used. For each extra TRP the binding data increases with 
the length of the used hash, which is rather unfortunate. 

However, reducing the binding data can be done more effectively by using a 
standard trick of the trade (as pointed out to us by Berry Schoenmakers). Ob- 
serve that from (6) it follows that one can deduce {D,F,I) if one knows {tv,z). 




129 



Now we let (in the above notation) the binding data consist of {w, z) (instead of 
{D,F,I,z)). Verification of the binding data now consists of three steps. First 
one calculates (D,F,I) as indicated in (6), that is: 

D = g^-C-'" ■ F = {yAlyY ■{RaIR.m)-'" ; I = {vbIvY ■ {Rb/ Rm)''^ ■ 

Second (as before), let the one-way function H{.) work - in a fixed, public way - 
on E,C, Rm, Ra, Rb, D, F, I and possibly other public data such as Margaret’s 
full identity and the date/time resulting in a w;' <q. Third (and finally), check if 
w' equals w. If so accept the binding data (and conclude that (5) has a solution), 
otherwise reject it (and conclude that (5) has no solution). Note that one can 
easily convert the “new” {w,z) type of binding data to the “old” {D,F,I,z) 
type (and vice versa) . Hence it follows that the probability that this verification 
gives the wrong answer is less than 1/v. 

Note that these “new” binding data are of fixed (small) length, namely the length 
of q plus the length of the output of H{.) which is approximately equal to the 
length of q. Also, one can easily generalize this technique to the situation where 
more than two TRP’s are used. The length of the binding data is independent 
of the number of TRP’s which is very fortunate. As this technique is also more 
easily and securely implemented than the one using hashes of D,F, I we prefer 
it. 

5 Conclusion 

We have introduced a new concept for the establishment of an Information Se- 
curity Infrastructure that does not hamper law-enforcement, using binding data. 
More in particular, we have presented a construction for binding data for the 
ElGamal type of public key encryption schemes using well-understood crypto- 
graphic techniques and primitives. As a side result we show that a particular- 
simplification in a multiuser version of ElGamal does not affect its security. We 
expect that many more public key encryption schemes can be equipped with 
binding data. 

A special property of the binding concept is that abuse of the system is not 
only difficult but also detectable by any third party (e.g. network or service 
provider) without harming the privacy of law-abiding users. Other properties 
of the binding alternative include giving users in principle a flexible choice on 
who to trust with their confidential communication; moreover, there need be no 
vulnerable parties holding (master) keys in deposit. 

In our opinion, the properties of the binding alternative are flexible enough to 
allow cooperating countries to implement different cryptography policies on the 
domestic and international use of encryption in a coherent framework, which will 
be acceptable to many (most?) citizens in the information society. We emphasize 
that the binding alternative does not solve criminal encryption outside of this 
framework or even within using super-encryption - it is not meant to. Criminals 
can use encryption anyhow; our sole aim is that they should only be kept from 
effectively gaining advantage in using the (government supported) framework 
for this. 




130 



6 Acknowledgments 

We are very grateful to Berry Schoenmakers for his valuable comments, refer- 
ences to existing literature and his suggestion to improve the size of the binding 
data at the end of Section 4. 

A Proof of Proposition 3.1 

We shall only show implication 2) => 1) as the other implications are rather 
straightforward. To this end, we first claim that the following equality holds for 
all natural numbers x: 



gcd(a:,lcm(6i, . . . ,6„)) = lcm(gcd(x, 6i), . . . , gcd(x, 6„)). (7) 

This equality simply expresses that the lattice {Z, gcd, 1cm) is distributive. For 
a direct verification express the integers above in terms of prime powers and use 
min{x, max{/9i , . . . , = max{min{x, A } , • • ■ , min{x, /?„}} ■ 

The implication 2) 1) is trivial for n = 2. We shall now use induction to n. For 

the step n — > n -f 1 we may assume (by the induction hypothesis) the existence 
of y such that fllLi C”; = 2/ + (lcm(6i bn))- Hence: 

n-f 1 

n Ci = (y + (lcm(6i,...,5„))P)(o„+i + (6„+i)). (8) 

j=i 

According to the last assertion of the proposition this intersection is non-empty 
and of the appropriate form iff y—an+i is a multiple of gcd(&„+i , lcm(6i , . . . , 6„)) . 
By equality (7) this latter equals lcm(gcd(6„+i, 6j), . . . , gcd(6„+i, 6„)). Hence the 
lefthand side of equality (8) is non-empty iff y — u„+i is a multiple of gcd(f)„+i , bi) 
for f = 1 , . . . , 71. 

Now, fix 1 in {!,..., n} and write y — On+i — (y — «t) + (u* — Then the 

first term in the right hand side is a multiple of bj and hence of gcd(6„+i, bi). 
The second term is a multiple of gcd(6„+i,6i) as the cosets C, and Cn+i meet. 
So y — a„+i is a multiple of gcd(6„+i,bi) for each 1 < i < n. 

We conclude that the lefthand side of (8) is non-empty. That 0"=^!^ 
form y -f (lcm(bi,b 2 , • • • ,&n+i) now easily follows from the ?i = 2 case. 



B An Extension for Desmedt’s traceable variant of 
ElGamal 

We use the notation of Section 2, in particular we recall that g denotes a gener- 
ator of a group G. In [6], Desmedt proposes a variant of ElGamal in which all 
participants are given different generators by the Issuing Party (IP). Here is a 
number of the form fli^i where all qi are different prime numbers. For each 
participant P a unique divisor dp 1, called P’s order, of q is chosen (linked 
to P and stored). P is also given the (base-)generator gp = , the order of 




131 



which equals dp. This generator is part of his public key of P, which also (as in 
the standard ElGamal) includes a j/p e< gp > of the form yp = gp^’’ where xp 
(a random number less than q) is P’s secret key. A message S £ H encrypted 
by Ann using P’s public key takes the form {gp'^,yp^ ■ S) where fc is a number 
less than q randomly chosen by Ann. It is shown in [ 6 ] that addressees can be 
identified from the (orders of the) encrypted messages sent to them. We shall 
refer to Desmedt’s variant of ElGamal as D-ElGamal. 

In principle, there is no need for the IP to reveal dp to participant P. However, 
as can be easily seen (cf.[ 6 ]), knowledge of dp enables the Issuing Party IP to 
determine from the encrypted message with P’s public key. So, IP can use 
the knowledge of the dp to determine secret information. It can be argued (cf.[ 6 ]) 
that breaking the system for the IP should not be significantly easier than for 
an outsider. Hence, we come to the following: 

Assumption B.l With respect to the (encryption) security of D-ElGamal we 
assume that the orders dp ’s of participants and the factorization ofq, are publicly 
known. 

Extending D-ElGamal to a multiuser version in a similar way as in Definition 
2.1 is insecure. Indeed, suppose that a participant P wants to encrypt a message 
S € H meant for n participants with public keys (gi,yi), ■ ■ ■ ,{gn,yn) in tiie 
D-ElGamal scheme; the order of i-th participant will be denoted by dt . It seems 
natural, as in the conventional ElGamal scheme, that P generates one random 
number k and sends to the i-th participant (gf,?/-' • 5). However, by Assumption 
B.l an eavesdropper Eve can determine S‘^' for i = 1, ... n. So, if d is the greatest 
common divisor of the dj’s then Eve can also determine 5*^. In other words if 
these di are relatively prime (which is likely) then Eve can determine S. Although 
this might be an interesting feature for some countries (sending a message to a 
“wrong” group of people will expose the message), it is an unacceptable security 
risk. Also observe that generating different fci’s for each participant doesn’t help 
to resolve this insecurity. So, even in general, the multiuser extension of D- 
ElGamal is insecure. 

To remedy this, we will demand in the above extension of D-ElGamal that all 
dj’s except for di are equal to q-, the resulting scheme will be called Multi-D- 
ElGamal. It should be understood that later d\ will be used for P, the addressee. 
The other dj’s are for the TRP’s. Of course, all ki's are still equal to each other. 
Below we shall show that Multi-D-ElGamal is as secure as ElGamal with respect 
to 3 . So if the orders of all TRP’s are equal to q, then session keys can be virtually 
addressed (as explained in the introduction) to them in a secure way. Moreover, 
the construction of binding data for the Multi-D-ElGamal scheme is similar to 
that for the Multi-ElGamal scheme, as is the splitting of private keys of TRP’s. 
However, for reasons explained above, users should have confidence that the 
orders of their TRP’s are in fact equal to q. A fact that is difficult to check 
without the factorization of q. 

Let {gp,yp) be participant P’s public key in the D-ElGamal scheme, that is 
gp = . For technical reasons only we introduce the alternative D-ElGamal 




132 



scheme, in which the encryption of 5 € i? takes the form • S), i.e. 

the (superfluous) element g’^ is added. The alternative Multi- D-ElGamal scheme 
is formed from the Multi-D-ElGamal scheme by sending the first participant 
(whose order may differ from q) the alternative D-ElGamal encryption. 

Lemma B.2 If dp is known by an attacker Ada, then breaking the alternative 
D-ElGamal scheme w.r.t. (gp,yp) is as difficult as breaking the ElGamal scheme 
w.r.t. g. 

Proof [sketch]; Suppose there exists an efficient algorithm A that after an- 
alyzing a history of encrypted messages {g’^' ,gp^‘ ,yp^' ■ Si), i — l,...h, has 
a non-negligible change of outputting S on input of an encrypted message 
ig'‘,9p’',yp’‘ ■ S). 

Now suppose that participant Q has as public key y in the ElGamal scheme w.r.t. 
g. From this an attacker can form two public keys for two (imaginary) partic- 
ipants Vi and V 2 in the D-ElGamal scheme, namely {g'^,y‘^) and {g^^‘^,y^^'^)- 
Moreover an encryption [A,B) — {g*",y^ - 5) of a message S E H with Q’s 
public key can be transformed in an encryption of S'^ E H with Vi’s public 
key, by forming (A^, B‘^). Hence, after some time, by using A, Ada, has a non- 
negligible change of outputting S'*. Similarly, Ada has a non-negligible change 
of outputting As q and q/d are relatively prime {q is square-free), Ada has 
a non-negligible change of outputting S. D 

Theorem B.3 Let n be a natural number. Then breaking Multi- D- ElGamal for 
n addressees is as least as difficult as breaking ElGamal with respect to g. 

Proof [sketch]: Breaking the Multi-D-ElGamal scheme is as least as difficult 
as breaking the alternative Multi-D-ElGamal scheme. Now consider a sequence 
(“history”) of h encryptions of messages Si (i = l,..,,h) in the alternative 
D-ElGamal scheme: (g'",gp'“,yp'" - Si). 

Observe that yp can be seen as public key with respect to g. In fact, as gp = 
and as dp can be considered publicly known by Assumption B.l the com- 
putation of loggpp is as difficult as that of lopg^yp. 

By Lemma 2.2, from a sequence of encryptions {g*",yp*" ■ Si) anyone can con- 
struct a second sequence of encryptions of type (p*Sy*‘ ■ Si) with y random in 
G such that the computation of log^ ^ is as difficult as that of logg(j/p). 

Anyone that chooses a random number j less than, relatively prime with q, can 
calculate the generator g ~ and construct a third sequence of encryptions of 
type {g*" ,y*" ■ Si) with g a random generator in in G. It also follows that the 
computation of log^ y is as difficult as that of log^ y, which is as difficult as the 
computation of loggpPp. 

Hence - like in the proof of Theorem 2.3 - from the history of encryptions of 
messages in the alternative D-ElGamcd scheme, anyone can construct a typical 
history of encryption of messages in the alternative Multi-D-ElGamal scheme. By 
a similar argument as used in Theorem 2.3, breaking the latter, means breaking 
the alternative D-ElGamal scheme which by Lemma B.2 and Assumption B.l 
means breaking ElGamal with respect to g. □ 




133 



References 

1. R. Anderson, M. Roe, The GCHQ Protocol and its Problems, these proceedings. 

2. D.M. BaJenson, C.M. Ellison, S.B. Lipner, S.T. Walker (TIS Inc.), A New Approach 
to Software Key Escrow Encryption, in: L.J. Hoffman (ed.), Building in Big Brother 
(Springer, New York, 1996), pp. 180-207. See also http://www.tis.com. 

3. D. Chaum, T.P. Pedersen, Wallet Databases with Observers Advances in Cryptol- 
ogy - CRYPTO ’92 Proceedings, Springer- Verlag, 1993, pp. 89-105. 

4. D. Coppersmith, Finding a Small Root of a Univariate Modular Equation, Ad- 
vances in Cryptology - EUROCRYPT ’96 Proceedings, Springer- Verlag, 1995, pp. 
155-165. 

5. R. Cramer, R. Gennaro, B. Schoenmakers A Secure and Optimally Efficient Multi- 
Authority Election Scheme, these proceedings. 

6. Y. Desmedt, Securing Traceability of Ciphertexts - Towards a Secure Key Escrow 
System, Advances in Cryptology - EUROCRYPT ’95 Proceedings, Springer- Verlag, 

1995, pp. 147-157. 

7. T. ElGamal, A Public Key Cryptosystem and a Signature scheme Based on Discrete 
Logarithms, IEEE Transactions on Information Theory 31(4), 1985, pp. 469-472. 

8. Interagency Working Group on Cryptography Policy, Enabling Privacy, Com- 
merce, Security and Public Safety in the Global Information Infrastructure, 17 May 

1996, see http://www.cdt.org/crypto/clipper-III. 

9. L.C. Guillou, J.-J. Quisquater A Practical Zero-Knowledge Protocol Fitted to Se- 
curity Microprocessor Minimizing Both Transmission and Memory, Advances in 
Cryptology - BUROCRYPT '86 Proceedings, Springer- Verlag, 1986, pp. 123-128. 

10. J. Hastad, On Using RSA with Low Exponent in a Public Key Network, Advances 
in Cryptology - CRYPTO ’85 Proceedings, Springer- Verlag, 1993, pp. 403-405. 

11. N. Jefferies, C. Mitchell, M. Walker, A Proposed Architecture for Trusted Third 
Party Services, Cryptography: Policy and Algorithms, Proceedings of the confer- 
ence, Springer- Verlag (LNCS 1029), 1996, pp. 98-104. 

12. A.K. Lenstra, P. Winkler, Y. Yacobi A Key-Escrow System with Warrants Bounds, 
Advances in Cryptology - CRYPTO ’95 Proceedings, Springer- Verlag, 1995, pp. 
197-207. 

13. S. Micali, Fair Public-key Cryptosystems, Advances in Cryptology - CRYPTO ’92 
Proceedings, Springer- Verlag, 1993, pp. 113-138. 

14. National Research Council, Cryptography’s Role in Securing the Information So- 
ciety, K.W. Dam, H.S. Lin (Editors), National Academy Press Washington, D.C. 
1996, pp.720. 

15. T.P. Petersen, Distributed Provers with Applications to Undeniable Signatures, Ad- 
vances in Cryptology - EUROCRYPT ’91, Springer- Verlag, 1991, pp. 221-242. 

16. T.P. Petersen, A Treshold Cryptosystem Without a Trusted Party, Advances in 
Cryptology - EUROCRYPT ’91, Springer- Verlag, 1991, pp. 522-526. 

17. C P. Schnorr, Efficient Signature Generation for Smart Cards, Advances in Cryp- 
tology - CRYPTO ’89 Proceedings, Springer- Verlag, 1990, pp. 225-232. 

18. D.R. Stinson Cryptography: theory and practice, CRC press, 1995, pp.434. 

19. E.R. Verheul, B.-J. Koops, H.C.A. van Tilborg, Binding Cryptography. A fraud- 
detectible alternative to key- escrow solutions, Computer Law and Security Report, 
Januaiy-February 1997, pp. 3-14. 




The GCHQ Protocol and Its Problems 



Ross Anderson, Michael Roe 

Cambridge University Computer Laboratory 
Pembroke Street, Cambridge CB2 3QG 
Email: (rjal4,mrr)acl. cam. ac.uk 



Abstract. The UK government is fielding an architecture for secure 
electronic mail based on the NSA’s Message Security Protocol, with a 
key escrow scheme inspired by Diffie- Heilman. Attempts have been made 
to have this protocol adopted by other governments and in various do- 
mestic applications. The declared policy goal is to entrench commercial 
key escrow while simultaneously creating a large enough market that 
software houses will support the protocol as a standard feature rather 
than charging extra for it. 

We describe this protocol and show that, like the ‘Clipper’ proposal of a 
few years ago, it has a number of problems. It provides the worst of both 
secret and public key systems, without delivering the advantages of ei- 
ther; it does not support nonrepudiation; and there are serious problems 
with the replacement of compromised keys, the protection of security la- 
bels, and the support of complex or dynamic administrative structures. 



1 Introduction 

Over the last two years, the British government’s crypto policy has changed 
completely. Whereas in 1994 the Prime Minister assured the House of Com- 
mons that no further restrictions on encryption were envisaged, we now find the 
government proposing to introduce a licensing scheme for ‘trusted third par- 
ties’, and licenses will only be granted to operators that escrow their customers’ 
confidentiality keys to the government’s satisfaction [11, 21]. 

In March 1996, a document describing the cryptographic protocols to be used 
in government electronic mail systems was issued by CESG, the department of 
GCHQ concerned with the protection of government information; it has since 
been made available on the worldwide web [4]. According to this document, pol- 
icy goals include ‘attempting to facilitate future inter- operability with commer- 
cial users, maximising the use of commercial technology in a controlled manner, 
while allowing access to keys for data recovery or law enforcement purposes if 
required'^ . 

^ A UK official who chairs the EU’s Senior Officials’ Group - Information Security 
(SOGIS) has since admitted that ‘law enforcement’ in this context actually refers to 
national intelligence [10]. 



W. Fumy (Ed.): Advances in Cryptology - EUROCRYPT ’97, LNCS 1233, pp. 134-148, 1997. 
© Springer-Verlag Berlin Heidelberg 1997 




135 



A document on encryption in the National Health Service, issued in April, 
had already recommended that medical traffic should be encrypted, and keys 
should be managed, using mechanisms compatible with the future ‘National 
Public Key Infrastructure’ [26]; part of the claimed advantages for the health 
service were that the same mechanisms would be used to protect electronically 
filed tax returns and applications from industry for government grants. Fur- 
thermore, attempts are being made to persuade other European countries to 
standardise on this protocol suite. 

So the soundness and efficiency of the GCHQ protocol proposals could be 
extremely important. If an unsound protocol were to be adopted across Europe, 
then this could adversely affect not just the secrecy of national classified data, 
the safety and privacy of medical systems, and the confidentiality of tax returns 
and government grant applications. It could also affect a wide range of commer- 
cial systems too, and make Europe significantly more vulnerable to information 
warfare. If the protocols were sound but inefficient, then they might not be 
widely adopted; or if they were, the costs imposed on the economy could place 
European products and services at a competitive disadvantage. 

In this paper, we present an initial analysis of the security and efficiency of 
the GCHQ protocol. 

2 The GCHQ Protocol 

The precursor of the government protocol was first published by Jefferies, Mitchell 
and Walker at a conference in July 1995 [13]. A flaw was pointed out there^ and 
a revised version was published in the final proceedings of that conference; this 
version also appeared at the Public Key Infrastructure Invitational Workshop 
at MITRE, Virginia, USA, in September 1995 and at PKS ’96 in Zurich on 1st 
October 1996 [14]. The final, government approved, version of the protocol fixes 
some minor problems and adds some new features. 

The document [4] is not complete in itself, as the protocol is presented as a 
series of extensions to the NSA’s Message Security Protocol [18]. In the next sec- 
tion we will attempt for the first time to present the whole system in a complete 
and concise way, suitable for analysis by the cryptologic and computer security 
communities. We will then discuss some of its more obvious faults. 

The GCHQ architecture assumes administrative domains ‘corresponding ap- 
proximately to individual departments’, although there may be smaller domains 
where a department is scattered over a large geographical area. Each will have a 
‘Certificate Management Authority’, under the control of the departmental se- 
curity officer, which will be responsible for registering users and supplying them 
with keys. Key management will initially be under the control of GCHQ but 
might, in time, be devolved. 

^ The original protocol allowed the same base and modulus to be used in different 
domains and was thus vulnerable to Burmester’s attack [2] 




136 



The basic idea is that if Alice wants to send email to Bob, she must go to her 
certificate management authority, whom we will call TA, and obtain from him 
secret information that enables her to calculate a key for communicating with 
Bob. She also receives a certificate of this secret information, and sends this to 
Bob along with the encrypted message. On receipt of the message Bob contacts 
his certificate management authority TB and obtains the secret information that 
he needs to decrypt the message. Thus two individuals can communicate only if 
both their departmental security officers decide to permit this. 

The communication flow can be visualised in the following diagram: 



_ erearran^gedjct^ _ ^ 



1 



2 



A 



3 



4 



5 



B 



We will now describe the content of these messages. The protocol is a deriva- 
tive of Diffie Heilman [5] and the basic idea is that, in order to communicate with 
Bob, Alice must obtain a ‘public receive key’ for him from TA and operate on 
this with a ‘secret send key’ that TA also issues her, along with a certificate on 
the corresponding ‘public send key’. At the other end. Bob will obtain a ‘secret 
receive key’ for her from TB and will use this to operate on her ‘public send key’ 
whose certificate he will check. 

The secret receive keys are known to both users’ authorities, and are calcu- 
lated from their names using a shared secret master key. Each pair of domains 
TA, TFhas a ‘top level interoperability key’, which we will call /fj’^yfor man- 
aging communication. The relevant key here is K^AB ''’hich is shared between 
TA and TB. The mechanisms used to establish these keys are not described. 

We will simplify the GCHQ notation by following [3] and writing {X]y for 
the block X encrypted under the key Y using a conventional block cipher. Then 
the long term seed key that governs Bob’s reception of traffic from all users in 
the domain of TA is: 



rseeds,^ = (1) 

A secret receive key of the day is then derived by using this seed key to 
encrypt a datestamp: 




137 



SRKb,/i,d — {■^}rseedB ,4 

and Bob’s public key of the day, for receiving messages from users in the 
domain TA, is 



PRKb,a,d=9a (modiV^) (3) 

where the ‘base’ qa and the modulus Na are those of TA's domain (the 
document does not specify whether Na should be prime or composite, or the 
properties that the group generated by qa should possess). 

Finally, TA certifies Bob’s public key of the day as Sj'j^{B^D^'P'KKb,a,d)- 

Only receive keys are generated using secrets shared between authorities. 
Send keys are unilaterally generated by the sender’s authority from an inter- 
nal master key, which we will call for TA, and the user’s name. Thus 

Alice’s seed key for sending messages is sseed^ = {A}kj,j^', her secret send 
key of the day is derived as = {^}sseed public send key is 

SSK ^ 

PSK, 4 ,d = 9a (mod Na)- TA sends her the secret send key, plus a certifi- 

cate Cert{A, D, PSKa,d) on her public send key. Send seed keys may be refreshed 
on demand. 

Now Alice can finally generate a shared key of the day with Bob as 



kA,R,n — (PRKb,4,d)^^^'^ ‘’ (mod Na) (4) 

This key is not used directly to encipher data, but as a ‘token key’ to encipher 
a token containing a session key. Thus, when sending the same message to more 
than one person, it need only be encrypted once, and its session key can be sent 
in a number of tokens to its authorised recipients. 

Anyway, Alice can now send Bob an encrypted version of the message M. 
According to the GCHQ protocol specification, certificates are sent with the 
object ‘to simplify processing’, so the packet that she sends to Bob (in message 
3 of the diagram overleaf) is actually 






Cert{B, D, FRKo.a.v), Cert{A, D, PSK^,/,) 



( 5 ) 



This protocol is rather complex. But what does it actually achieve? 




138 



2.1 Problem 1 — why not just use Kerberos? 

The obvious question to ask about the GCHQ protocol is why public key tech- 
niques are used at all. After all, if TA and TB share a secret key, and Alice and 
Bob have to interact with them to obtain a session key, then one might just as 
well use the kind of protocol invented by Needham and Schroder [19] and since 
deployed in products like Kerberos [20]. Where Alice shares the key with 
TA and Bob shares K g with TB, a suitable protocol might look like 

A TA : A, B 
TA ^ A : 

A —^B : A, {K A, B ,d} {k^K k 
B TB : A,B,{Kj^B>^>B>d.}Kj,j^Q 
TB ^ B : [K/^b, d, A, B}kq 

This protocol uses significantly less computing than the GCHQ offering, and 
no more messages. It can be implemented in cheap commercial off-the-shelf to- 
kens such as smartcards, and with only minor modification of the widely available 
code for Kerberos. This would bring the further advantage that the implications 
of ‘Kerberising’ existing applications have been widely studied and are fairly 
well understood in a number of sectors (see, e.g. [12]). On the other hand, the 
integration of a completely new suite of authentication aind encryption software 
would mean redoing this work. Given that the great majority of actual attacks 
on cryptosystems exploit blunders at the level of implementation detail [1] , this 
will mean less secure systems. 

The GCHQ response to this criticism is [15]; 

This is not so much an attack on the recommendations as an objec- 
tion to the Trusted Third Party concept and the need for key recovery. 

The recommendations offer a realistic architectural solution to a complex 
problem and, as with any system, will require professional implementa- 
tion. 

This completely misses the point. Given that the UK government has decided 
to adopt key escrow in its own internal systems, exactly the same functional- 
ity could have been provided by a simple adaptation of Kerberos at much less 
cost and risk. The only extra feature that appears to be provided by the GCHQ 
protocol is that users who receive mail from only a small number of other depart- 
ments, and who operate under security rules that permit seed keys to persist for 
substantial periods of time, may save some communications with their TTPs by 
storing receive seed keys locally. This leads us to consider the issue of scalability. 

2.2 Problem 2 — where are the keys administered? 

How well the GCHQ protocol (or for that matter Kerberos) will scale will depend 
on how many key management authorities there are. With a large number of 




139 



them — say, one per business enterprise — the problem of inter-enterprise key 
management would dominate and the above protocol would have solved nothing. 

The British government may be aware of this problem, as they propose to 
minimise the number of authorities. Under the legislation currently proposed, 
large companies would be permitted to manage their own keys — the rationale 
being that having significant assets they would be responsive to warrants — while 
small to medium enterprises and individuals would have to use the services of 
licensed TTPs — organisations such as banks that would undertake the dual 
role of certificate management authority and escrow agent. 

We do not believe that this will work. One of us has experience of a bank 
with 25,000 employees, managed through seven regional personnel offices, trying 
to administer mainframe passwords at a central site. With thirty staff and much 
message passing to and from the regions, the task was just about feasible, but 
compelling a million small businesses to conduct a transaction with the ‘Trusted 
Third Party’ every time a staff member was hired, fired or moved, would do little 
for national economic (lompetitiveness. 

Medicine is another application to consider, as the issue of encryption and 
signature of medical records is the subject of debate in a number of European and 
other countries. There is relevant experience from New Zealand, where a proposal 
to have doctors’ keys managed by officials in the local district hospitals turned 
out to be impractical. It is now proposed that keys there should be managed at 
the practice level [9]. In the UK, with some 12,000 general practices, hospitals 
and community care facilities, centralised key management is even less likely to 
be workable. 

The GCHQ response to this criticism is [15]: 

It has also been suggested that a TTP network could become large 

and that some users would have to keep a large number of public keys. 

This problem is overcome in the Royal Holloway architecture since any 

user can obtain all the necessary key material from its local TTP. This 

is inherently more scalable than other approaches. 

This again misses the point. If the UK health service, with 12,000 providers, 
has 12,000 TTPs, then the inter-TTP communications would be the bottleneck. 

There is also the issue of trust. In the UK, the medical profession perceived 
the recommendation in [26] that key management should be centralised in a 
government body as an attempt to undermine the independence of the institu- 
tions currently responsible for professional registration — the General Medical 
Council (for doctors), the UK Central Council (for nurses), and so on. Retaining 
these organisations as top level CAs is essential for creating professional trust 
without which a security system would deliver little value. 

But with the GCHQ protocol, this would appear to mean that a doctor who 
wished to send an encrypted email to a nurse working in the same practice would 
have to send a message to the GMC to get a key to encrypt the message, and 




140 



the nurse would have to contact the UKCC to get a key to decrypt it. This is 
clearly ludicrous. 

In short, the GCHQ protocol may work for a strictly hierarchical organisation 
like government may be thought to be (though if that were the case, a Kerberos 
like system would almost certainly work better). But it is not flexible enough 
to accommodate real world applications such as small business and professional 
practice. This raises the question of whether it will even work in government. We 
suspect it would work at best badly — and impose a structural rigidity which 
could frustrate attempts to make government more efficient and accountable. 

The GCHQ response to this criticism is [15J: 

The frameworks for confidentiality and authentication have been de- 
signed to cater for a wide range of environments. A hierarchy is defined 
only for the authentication framework and this is necessary because good 
security requires tight control. 

This claim is inconsistent with the protocol document according to which ‘As 
the Certificate Management Authority is responsible for generating the confiden- 
tiality keys, it should also take on the role of a certification authority in order to 
authenticate them’. Thus the confidentiality and authentication hierarchies are 
clearly intended to be identical. 

Rossnagel made the point that trust structures in the electronic world should 
mirror those in existing practice [23] ; a point which all security engineers should 
consider carefully. 



2.3 Problem 3 - should signing keys be escrowed? 

The next problem is the plan to set up an escrowed trust structure of confiden- 
tiality keys first, and then bootstrap authentication keys from this [4] [26]. 

The GCHQ protocol defines a structure called a token to transfer private keys 
in an encrypted form. What is also required is a mechanism to convey public 
signature verification keys to the authority for certification, as well as a means 
to revoke signature keys (which should be independent of the ‘key of the day’ 
system that provides implicit revocation of encryption keys). Such mechanisms 
are not provided. 

Similar considerations apply to MAGs. The original US MSP has a mode of 
operation which provides confidentiality and integrity but not non-repudiation. 
In this mode, the message is not signed, and instead the confidentiality key 
(or a key derived from it) is used to generate a MAC on the message. As the 
GCHQ protocol is specified by citing the US MSP specification and explaining 
the differences, it would appear that this mode will also be a part of it; but 
when combined with the GCHQ key management, the effect is that an escrowed 
confidentiality key is used to authenticate the message. 




141 



Even if confidentiality keys are eventually required by law to be escrowed, the 
keys used for authentication must be treated differently, and there is a risk that 
programmers and managers responsible for implementing the GCHQ protocol 
might overlook this distinction and produce a flawed system. So it is worth 
explaining explicitly. 

The stated purpose of key escrow is to enable law enforcement and other 
government employees to monitor the contents of encrypted traffic (and, in some 
escrow schemes, to facilitate data recovery if users lose or forget their keys). 
Its stated purpose does not include allowing government employees to create 
forged legal documents (such as contracts or purchase orders) . It would be highly 
undesirable if people with access to the escrow system were able to use this 
access to forge other people’s digital signatures. The scope for insider fraud and 
conspiracy to pervert the course of justice would be immense. 

Any police officer will appreciate that if he can get copies of my bank state- 
ments, then perhaps he can use them in evidence against me; but if he can 
tracelessly forge my cheques, then there is no evidence at all any more. So if 
there is any possibility that a digital signature might be needed as evidence, 
then the private key used to create it must not be escrowed. 

In fact, we would go further than this: keys which are used only for authen- 
tication (and not non-repudiation) should not be escrowed either. For example, 
suppose that some piece of equipment (e.g. a power station, or a telephone 
exchange) is controlled remotely, and digital signatures or MACs are used to au- 
thenticate the control messages. Even if these messages are not retained for the 
purposes of evidence, it is clearly important to distinguish between authorising 
a law enforcement officer to monitor what is going on and authorising him to 
operate the equipment. If authentication keys are escrowed, then the ability to 
monitor and the ability to create seemingly authentic control messages become 
inseparable: this is almost certainly a bad thing. Returning to the medical con- 
text, it is unlikely that either doctors or patients would be happy with a system 
that allowed the police to forge prescriptions, or the intelligence services to as- 
sume control of life support equipment. We doubt that a well informed minister 
would wish to expose himself and his officers in such a way. 

In such applications, we need an infrastructure of signature keys that is as 
trustworthy as we can make it. Bootstrapping the trust structure from a system 
of escrowed confidentiality keys is unacceptable. 

The GCHQ response to this criticism is [15]: 

This confuses the authentication and confidentiality frameworks. There 
is no intention to bootstrap signature keys required for non-repudiation 
purposes within the authentication framework. 

The protocol document states (2.2.1) that ‘to provide a non-repudiation ser- 
vice users would generate their own secret and public authentication key pairs, 
then pass the public part to a certification authority’. But no mechanism for this 
is provided; in the rest of the document, it is assumed that all secret keys are 




142 



generated by the certification authority, and both the secret and public parts 
passed to the user. Given GCHQ’s response, we conclude that their protocol is 
not intended to provide a non-repudiation service at all. 

Furthermore, both authentication and confidentiality key material is under 
the control of the Departmental Security Officer. This leads to an interesting 
‘plausible deniability’ property. If there is a failure of security, and an embar- 
rassing message is leaked, then it is always possible to claim that the message 
was forged (perhaps by the very security officer whose negligence permitted the 
leak in the first place). 

For these reasons, if non-governmental use of the GCHQ protocol is contem- 
plated — or compelled by legislation — then signing keys should be managed 
by some other means (and not escrowed). We also recommend that normal pol- 
icy should prohibit the sending of MAC-only messages; if a MAC-only message 
is received, the purported sender should be asked to resend a properly signed 
version (there are some special purpose uses in which the MAC-only mode is 
useful, but we won’t describe them here). 



2.4 Problem 4 — clear security labels 

In the original NS A Message Security Protocol, the label describing the security 
classification of the contents of an encrypted message is also encrypted. The 
GCHQ version adds an extension which contains the label in clear (we will refer 
to this as the ‘cleartext’ security label, while the actual classification is the 
‘plaintext’ security label). 

There is a problem with doing this. An attacker can often derive valuable 
information from the cleartext label, taken together with the identity of the 
sender and recipient and the message volume. Indeed, with some labels, the 
attacker learns all she wants to know from the label itself, and cryptanalysis 
of the message body is unnecessary. This is why the US does not use cleartext 
security labels. 

The GCHQ response to this criticism is [15]: 

CESG’s modifications have been made after careful consideration of 
government requirements and in consultation with departments; they are 
sensible responses to these requirements. 

We understand that these ‘requirements’ concern the national rules concern- 
ing the forms of protection which are deemed appropriate for various types of 
information. 

Under the UK rules, it is possible for a combination of physical and cryp- 
tographic mechanism taken together to be deemed adequate, whereas either 
mechanism on its own is deemed inadequate. For example, a message classified 
SECRET can be enciphered with RAMBUTAN and then transmitted over a link 




143 



which lies entirely within the UK. The protection provided by RAMBUTAN is 
deemed insufficient if the same message is being transmitted across the Atlantic. 

So British enciphered messages need to divided into two or more types; those 
that require various forms of additional physical protection, and those that don’t. 
The message transfer system needs to be able to tell which messages are which, 
so it can use physically protected communications lines for some messages but 
not for others. The easiest way to achieve this is to mark the ciphertext with 
the classification of the plaintext. 

However, if an opponent can get past the physical protection (which is often 
quite easy), then she can carry out the attacks described above. It would clearly 
be desirable for UK to follow the American lead and encrypt all security labels. 

It may be argued that the rules are so entrenched that this is infeasible. A 
technical alternative is to reduce the cleartext security label to a single bit indi- 
cating only the handling requirements. In this way, routers have the information 
they need, and attackers get no more information than this (which they could 
arguably derive in any case by observing the route that the message takes). 
Using a completely incompatible (and information-losing) syntax for cleartext 
labels would also prevent lazy or careless implementers using them as plaintext 
labels. Such robustness would have been prudent design practice. 

In fact, the GCHQ protocol does not protect the integrity of the cleartext 
security label either, and so the attacker can manipulate it. If it is ever used 
to determine the sensitivity of the decrypted plaintext, then the recipient could 
be tricked into believing that the message had a different classification, which 
might lead to its compromise. 



2.5 Problem 5 — identity based keys 

The GCHQ protocol gives users seed keys which they hash with timestamps to 
get user keys. But it is quite likely that some seed keys will be compromised 
(e.g. by Trojan horses previously inserted by attackers; via theft of computers; 
if smart cards holding them are lost etc). In that case, the user’s certificates 
can be revoked, but the user cannot be issued with a new seed key, as it is 
a deterministic function of her name. All the CA can do is reissue the same 
(compromised) key. 

To recover from this situation, either the user has to change her name, or the 
CA has to change the interoperability key and reissue new seed keys for every 
user in the domain. Both of these alternatives are unacceptable, and this is a 
serious flaw in the GCHQ protocol. It might be remedied by making the seed 
key also depend on an initial timestamp (which would also have to be added at 
several other places in the protocol). 

2.6 Problem 6 — scope of master key compromise 

The compromise of the interoperability key between two domains would be catas- 
trophic, as all traffic between users in those domains could now be read. In our 




144 



experience, the likelihood of master key compromise is persistently underesti- 
mated. We know of cases in both the banking and satellite TV industries where 
organisations have had to reissue millions of customer cards as a result of a key 
compromise that they had considered impossible and for which they therefore 
had no disaster recovery plan. Introducing such a vulnerability on purpose is 
imprudent. 

The GCHQ response to this criticism is [15]: 

CESG is fully aware of the need adequately to secure such high level 

exchanges and there are a number of ways this could be done. 

Indeed, and comparison with other escrow systems such as Clipper shows that 
it is possible to provide some degree of protection against accidental disclosure 
and rogue insiders, by using two escrow agents in different departments rather 
than the single crypto custodians proposed by GCHQ. Clipper is not perfect in 
this regard, but it at least shows that it is possible to do better. At the very 
least, it would be prudent to change the interoperability keys frequently; this 
would remove the need for seed keys (and thus strengthen the argument for 
using Kerberos instead). 

Of course, if corrupt law enforcement officers are allowed to abuse the system 
indefinitely, then no cryptographic, or dual control protocol can put things right. 
Any discussion of insider attacks must assume that there exist procedures for 
dealing with misbehaving insiders, and indeed for detecting misbehaviour in the 
first place. This can be done with non-escrowed key management protocols (see 
for example [16]) but appears more difficult when escrow is a requirement. 

2.7 Problem 7 — MOAC 

The GCHQ protocol defines an extension which provides a “simple message 
origin authentication check” . This is a digital signature computed on the contents 
of the message, and nothing else. By way of contrast, the original US MSP 
provided message origin authentication by computing a digital signature on a 
hash of the message and some additional control information. This additional 
control information can contain the data type of the message (e.g. whether it is 
an interpersonal text message or an EDI transaction). 

The GCHQ proposal is an extension, rather than a replacement. That is, 
messages will contain two forms of digital signature; the old US form and the 
new UK form. As a result, this extension has not made the protocol simpler; it 
has made it more complex. 

In nearly all circumstances, it would best to use the original US form of 
signature rather than the new UK one. The US form is very nearly as quick 
to compute, and it protects against some attacks to which the UK version is 
vulnerable. (It is possible for a bit string to have two different interpretations, 
depending on which data type the receiver believes it to be. The UK signature 




145 



does not protect the content type, so an attacker could change this field and 
trick the receiver into misinterpreting the message.) 

One situation in which there might be a use for this UK extension is in im- 
plementing gateways between the GCHQ protocol and other security protocols. 
For example, it would be possible for a gateway to convert between Internet 
Privacy Enhanced Mail and UK MSP by replaning the PEM header with an 
MSP header and copying the PEM signature into the UK signature extension 
field. The important point to note about this is that such a gateway does not 
need access to any cryptographic keys, as it does not need to re-compute the 
signature. By way of contrast, a gateway between US MSP and PEM would need 
access to the sender’s signature key; this is a very bad idea for obvious reasons. 



2.8 Problem 8 — choice of encryption algorithm 

GCHQ wants people to use an unpublished block cipher with 64 bit block and 
key size called Red Pike. According to a report on the algorithm prepared in 
an attempt to sell it to the Health Service, it is similar to RC5 [22] but with a 
different key schedule. It will apparently be the standard for government traffic 
marked up to ‘Restricted’, and it is claimed that systems containing it may 
be less subject to export controls: health service ofircials have claimed that US 
companies operating in the UK may be allowed by the US government to use 
Red Pike in products in which the use of DES would be discountenanced by the 
US State Department. 

More significantly, Red Pike will shortly be fielded in mass market software, 
and will thus inevitably be reverse engineered and published, as RC2 and RC4 
were. So it is hard to understand why the UK government refuses to publish it, 
or why anyone should trust it, at least until it has been exposed to the attention 
of the cryptanalytic community for a number of years. If GCHQ scientists have 
found a weakness in RC5 and a fix for it or even a change that speeds it up 
without weakening it — then surely the best way to gain acceptance for such an 
innovation would be to publish it. 

The GCHQ response to this criticism is [15]; 

Another common misconception is that the CESG Red Pike algo- 
rithm is being recommended for use in the public arena. No confiden- 
tiality algorithm is mandated in the recommendations; for HMG use, 
however, approved algorithms will be required; Red Pike was designed 
for a broad range of HMG applications. 

Vigorous efforts are still being made to promote the use of Red Pike in the 
health service, and as noted above, it is supposed to be used in a wide range 
of citizens’ interactions with government such as filing tax returns and grant 
applications. Thus the accuracy of the above response is a matter of how one 
interprets the phrase ‘public arena’. 




146 



3 Conclusion 

The GCHQ protocol is very poorly engineered. 

1. The key management scheme gives us all the disadvantages of public key 
crypto (high computational complexity, long key management messages, dif- 
ficult to implement on cheap devices such as smartcards), and all the disad- 
vantages of secret key crypto (single point of failure, little forward security, 
little evidential force, difficulty of ‘plug and play’ with shrink-wrapped soft- 
ware). It does not provide any of the advantages that one could get from 
either of these technologies; and its complexity is likely to lead to the subtle 
and unexpected implementation bugs which are the cause of most real world 
security failures. 

2. It is designed for tightly hierarchical organisations, and cannot economically 
cope with the more complex trust structures in modern commerce, industry 
and professional practice. Its main effect in government may to perpetu- 
ate rigid hierarchies and frustrate the efficiency improvements that modern 
management techniques might make possible. 

3. It goes about establishing trust in the wrong way. To plan to bootstrap 
signature keys from a ‘national public key infrastructure’ of escrowed confi- 
dentiality keys shows a cavalier disregard of the realities of evidence and of 
safety-critical systems. 

4. There are a number of serious technical problems with the modifications 
that have been made to the US Message Security Protocol, which underlies 
the UK government’s offering. Quite independently of the key management 
scheme and trust hierarchy that are eventually adopted, these modifications 
are unsound and should not be used. 

The above four conclusions appeared in an earlier draft of this paper. The 
GCHQ response that that draft, which we have cited here, has not persuaded 
us to change a single word of their text. 

We call on the cryptologic and computer security communities to subject 
this protocol to further study. If adopted as widely as the British government 
clearly hopes it to be, it would be a single point of failure of a large number of 
applications on which the security, health^, privacy and economic wellbeing of 
Europe’s citizens would come to depend. 

Acknowledgement: We are grateful to the security group at Cambridge for 
discussions, and to Paul van Oorschot for pointing out that the second version 

^ GCHQ has since claimed that the NHS proposals and its are ‘similar but distinct’ 
[15]. They are indeed similar, with many of the undesirable features described below 
being incorporated into NHS crypto pilots. The only respect in which they are clearly 
distinct is that the DH/DSA mechcinisms were replaced by RSA after RSA was 
adopted as a European standard for healthcare. However, many of the undesirable 
features which we discuss above, such as the central generation of signature keys, 
have been retained in the NHS pilots. 




147 



of this protocol was presented at two other conferences as well as appearing in 
the Queensland conference proceedings [14]. 

References 

1. RJ Anderson, “Why Cryptosystems Fail”, in Communications of the ACM v 
37 no 11 (Nov 94) pp 32-40 

2. M Burmester, “On the Risk of Opening Distributed Keys”, in Advances in 
Cryptology — CRYPTO ’94, Springer LNCS v 839 pp 308-317 

3. M Burrows, M Abadi, RM Needham, “A Logic of Authentication”, in Proceed- 
ings of the Royal Society of London A v 426 (1989) pp 233-271 

4. CESG, “Securing Electronic Mriil within HMG — part 1; Infrastructure and 
Protocol” 21 March 1996, document T/3113TL/2776/11; available at URL 
http : //wwH . rdg . opengroup . org/public/tech/security/pki/casm/ casm . htm 

5. W DifRe, ME Heilman, “New Directions in Cryptography”, in IEEE Transac- 
tions on Information Theory, IT-22 no 6 (November 1976) p 644-654 

6. Electronic Privacy Information Center, 1996 EPIC Cryptography and Privacy 
Sourcebook, Washington, DC 

7. US Department of Commerce, ‘Escrowed Encryption Standard’, FIPS PUB 
185, February 1994 

8. Y Frankel, M Yung, Escrow Encryption Systems Visited: Attacks, Analysis 
and Designs", in Advances in Cryptology — CRYPTO 95, Springer LNCS v 
963 pp 222-235 

9. P Gutman, personal communication, July 96 

10. D Herson, in interview with Kurt Westh Nielsen and Jerome Thorel, 25 
September 1996; Ingenipren/Engineering Weekly 10/04/1996; available at 
http : //www . ingenioeren . dk/redaktion/her son . htm 

11. N Hickson, Department of Trade and Industry, speaking at 'Information Se- 
curity — Is IT Safe?’, lEE, Savoy Place, London, 27th June 1996 

12. I Hollander, P Rajaram, C Tanno, “Kerberos on Wall Street”, in Usenix Se- 
curity 96 pp 105-112 

13. N Jefferies, C Mitchell, M Walker, “A Proposed Architecture for Trusted Third 
Party Services”, in proceedings of Cryptography Policy and Algorithms Con- 
ference, 3-5 July 1995, pp 67 81; published by Queensland University of Tech- 
nology 

14. N Jefferies, C Mitchell, M Walker, “A Proposed Architecture for Trusted Third 
Party Services”, in Cryptography: Policy and Algorithms, Springer LNCS v 
1029 pp 98-104; also appeared at the Public Key Infrastructure Invitational 
Workshop at MITRE, Virginia, USA, in September 1995 and PKS ’96 in Ziirich 
on 1st October 1996 

15. ID Jones, letter to R Anderson on behalf of GCHQ ’s Communications Electron- 
ics Security Group-, available at http: //www . cs .berkeley . edu/'daw/GCHQ/ 

16. TMA Lomas, B Crispo, “A New Certification Scheme” , in Proceedings of 
the Fourth Cambridge Workshop on Cryptographic Protocols (1996), Springer 
LNCS series pp 19-32 

17. TMA Lomas, MR Roe, “Forging a Clipper Message”, in Communications of 
the ACM V 37 no 12 (Dec 94) p 12 

18. U.S. National Security Agency, ‘Secure Data Network System : Message Secu- 
rity Protocol (MSP)’, SDN.701, revision 4.0 (January 1996) 




148 



19. RM Needham, MD Schroder, “Using Encryption for Authentication in Large 
Networks of Computers”, in Communications of the ACM vol 21 no 12 (Dec 
78) pp 993-999 

20. BC Neuman, T Ts’o, “Kerberos: An Authentication Service for Computer 
Networks” , in IEEE Communications Magazine v 32 no 9 (Sep 94) pp 33-38 

21. Press Association, “Move to Strengthen Information Security”, 06/10 1808 

22. RL Rivest, “The RC5 Encryption Algorithm”, in Fast Software Encryption 
(1994), Springer LNCS v 1008 pp 86-96 

23. Rofinagel A, “Institutionell-organisatorische Gestaltung informationstechnis- 
cher Sicherungsinfrostrukturen” , in Datenschutz und Datensicherung (5/95) 
pp 259 269 

24. RL Rivest, B Lampson, “A Simple Distributed Security Infrastructure”, at 
http: //theory . Ics .mit . edu/ "ri vest /publicat ions .htral 

25. B Schneier, ‘Applied Cryptography — Protocols, Algorithms, and Source Code 
in C’ (second edition), John Wiley & Sons, New York, 1996 

26. Zergo Ltd., ‘The use of encryption and related services with the NHSnef, pub- 
lished by the NHS Executive Information Management Group 12/4/96, refer- 
ence number E5254; available from the Department of Health, PO Box 410, 
Wetherby LS23 7LN; Fax -1-44 1937 845381 




Bucket Hashing with a Small Key Size 



Thomas Johansson 



Department of Information Technology, Lund University, 
PO Box 118, S-221 00 Lund, Sweden 
Email:thomas@it. lth.se 



Abstract. In this paper we consider very fast evaluation of strongly 
universal hash functions, or equivalently, authentication codes. We show 
how it is possible to modify some known families of hash functions into a 
form such that the evaluation is similar' to “bucket hashing” , a technique 
for very fast hashing introduced by Rogaway. Rogaway’s bucket hash 
family has a huge key size, which for common parameter choices can be 
more than a hundred thousand bits. The proposed hash families have a 
key size that is close to the key size of the theoretically best known con- 
structions, typically a few hundred bits, and the evaluation has a time 
complexity that is similar to bucket hashing. 

Keywords. Universal hash functions, message authentication, authen- 
tication codes, bucket hashing, software implementations. 



1 Introduction 

Universal hashing is a concept that was introduced by Carter and Wegman [8] 
in 1979. Since then, many results in theoretical computer science use different 
kinds of universal hashing. One of the main topics in universal hashing is called 
strongly universal hashing, and has a large amount of applications in computer 
science. The most widely known application in cryptography is the construction 
of unconditionally secure authentication codes. The model for unconditionally 
secure authentication codes was originally developed by Simmons [25, 26], see 
also [10] . One of the most important aspect of strongly universal hash functions 
is that the constructions should be simple to implement in software and/or 
hardware. Such implementation aspects have recently been in focus, and there 
are several papers addressing this topic [13, 16, 17, 22, 24, 11, 1]. 

Message authentication is one of the most common cryptographic settings 
today. In this setting a transmitter and a receiver share a secret key e. When the 
transmitter wants to send the receiver a message s, he computes a socalled mes- 
sage authentication code^ (MAC), MAC = /e(s), and sends the pair (s,MAC). 
Here /e() denotes the function producing the MAC using key e. Receiving a 
pair (s', MAC') the receiver checks that MAC' — /e(s'). If this is the case, the 
message is accepted as authentic, otherwise it is rejected. 

^ In the theory of universal hashing, this is usually referred to as a tag (or an 
authenticator). 



W. Fumy (Ed.): Advances in Cryptology - EUROCRYPT ’97, LNCS 1233, pp. 149-162, 1997. 
© Springer-Verlag Berlin Heidelberg 1997 




150 



The fastest software MACs in common use today are based on software ef- 
ficient cryptographic hash functions, such as MD5 [21, 7]. We refer to such an 
approach as the MAC scheme approach. For an overview, see [18, 19, 20]. Since 
we are computing one of the fastest types of cryptographic primitives^ on a 
string essentially identical to the message, one might think that it is not possible 
to do much better. However, as was shown by Wegman and Carter already in 
1981 [28], this is not the case. It was noted that one does not need to work with 
a “cryptographically strong primitive” . A “cryptographically strong primitive” 
needs some complexity to resist attacks (e.g. many rounds) , and this complexity 
is also time consuming. Through Wegman and Carter’s universal hashing, one 
can instead work with a very simple function (the universal hash function) to 
produce a MAC. We refer to this approach as the universal hash approach. The 
details of such an approach are given in the last section of this paper. We review 
some advantages of using the universal hash approach instead of the usual MAC 
scheme approach. 

- Speed: The universal hash function can be very simple to implement, and 
experimental implementations (e.g. [11]) indicate that producing the MAC 
using universal hash functions is faster than for example MD5 based tech- 
niques. 

- Parallelizahle: For this self-explaining property to hold, it is sufficient that 
(a part of) the universal hash function is a linear function, which is usually 
the case. 

— Incremental: If a small part of the message is modified or a part is added 
to the message, we do not need to perform the new MAC calculation over 
the whole message but only over the small part that was modified/added. 
This is again a consequence of the linearity of (a part of) the universal hash 
function. 

— Unconditional security/Provable security: Universal hashing is “uncondition- 
ally secure”, i.e., the probability of success in an attack is independent of 
computational resources. The universal hash approach sometimes includes 
usage of some cryptographic primitive to provide multiple use. This usage 
can be done in the form of provable security, i.e., an adversary who can break 
the scheme can also break the underlying cryptographic primitive [22]. 

Note that MAC schemes are highly nonlinear, hence usually neither parallelizable 
nor incremental^. Also, reductions for MAC schemes to show provable security 
are not at all as tight as for the universal hash approach, for details see [4, 22, 2], 
This paper studies very fast software implementations of strongly universal 
hash functions. One of the most important steps in this direction was taken by 
Rogaway when he introduced a technique for hashing called “bucket hashing” 
[22]. It is a very efficient way of producing a MAC, ideally requiring only 6-10 
simple instruction per word to be authenticated. The drawback of this approach 

^ MD5 can probably not be considered to be a “cryptographically strong primitive” , 
due to an attack by Dobbertin [9]. 

^ In [3], a MAC scheme (XOR-MAC) was presented, which is incremental. 




151 



is the huge key size that is included, which for common parameter choices can 
be more than a himdred thousand bits. This requires the key to be generated 
through a pseudo-random number generator. 

As mentioned before, there have been some previous work on software effi- 
ciency of universal hash functions, [17, 24, 11, 1], The recent paper [11] considers 
evaluation of universal hash functions on processors supporting very fast integer 
multiplication. On such processors, they get an extremely high speed. Another 
recent paper [1] is more in the line of our work, focusing on evaluation in hash 
families with a small key size. 

Our contribution is to show how it is possible to modify some known families 
of hash functions into a form such that the evaluation is similar to “bucket 
hashing” . The proposed hash functions have a key size that is close to the key 
size of the theoretically best known constructions, which for common parameter 
choices can be around a hundred bits for a single use. Furthermore, the evaluation 
has a time complexity that is similar to bucket hashing and use the same simple 
instructions. 

The paper is organized as follows. In Section 2 the basic definitions in univer- 
sal hashing and authentication theory are given, as well as connections between 
them. Section 3 reviews bucket hashing, and in Section 4 we introduce our new 
approach to bucket hashing. In Section 5 we discuss implementation and param- 
eter choices and finally, in Section 6, we review how the proposed hash families 
are used to produce a MAC. 



2 Universal hash functions and authentication codes 

In universal hashing, we consider a hash family 5, which is a set Q of \Q\ functions 
such that g : X Y for each g E. Q. Interesting cardinality parameters for a 

hash family are |C?|, lA”!, and |F|. Two relevant definitions are the following. 

Definition 1. A hash family Q is called t-almost universak if for any two dis- 
tinct elements Xi,X 2 € X, there are at most e\Q\ functions g E G such that 
g{xi) = g{x 2 )- We use the abbreviation e-AU 2 for the family. 

Definition 2. A hash family Q is called (-almost strongly universal^ if 

i) for any x E X and any y E Y, there are exactly |I7|/|T| functions g E Q such 
that g{x) = y. 

ii) for any two distinct elements X\,X 2 E X, and for any two elements yi,y 2 E 
Y, there are at most elf/|/|T| functions g E G such that g{x-i) — y\, and 
g{x2) = V2- 

We here use the abbreviation e-ASU 2 

For a more thorough treatment of universal hashing, we refer to [27], where these 
concepts are derived further. We will instead consider the known equivalences 
between strongly universal hashing and authentication codes. 




152 



Authentication theory as originally described by Simmons [25], [26], see also 
[10], considers the problem of two trusting parties, who want to send informa- 
tion from the transmitter to the receiver in the presence of an adversary. The 
adversary may introduce false messages to the receiver or replace a legal message 
with a false one. To protect against these threats, the sender and the receiver 
share a secret key. The key is then used in an authentication code (A-code). 

A systematic (or Cartesian) A-code is a code where the information to be 
transmitted appears in plaintext in the transmitted message. Such a code is 
a triple {S,£,Z) of finite sets and a map f : S x £ Z. Here S is the 
set of source states, i.e., the information that is to be transmitted, £ is the 
set of keys, and Z is the tag alphabet. When the transmitter wants to send 
the information s £ S using his secret key e € f, he transmits the mes- 
sage m = (s,z), where = f{s,e), and m £ M = S x Z. When the re- 
ceiver receives a message m' = {s' ,z'), he checks the authenticity by calculating 
whether z' = f{s',e) or not. If equality holds, the message m is called valid. 
The adversary has two different attacks to choose between. He might introduce 
a false message m = (s,z), and hence impersonating the transmitter, called 
the impersonation attack. He can also choose to observe a transmitted message 
m = {s,z), and then replace this message with another message m' — {s',z'), 
where s' ^ s. This is called the substitution attack. The probability of success 
for the adversary when trying either of the two attacks, denoted by Pi and 
Ps respectively, are formally defined by Pj = maxs j F(m = valid) and 
Ps = maxs, 2 maxg^^s^j- P(m' = {s',z') valid|m = (s, 2 ;) observed). We assume 
that the keys are uniformly distributed. Then these probabilities can be written 
as 



Pi 



max 



\{e££-.z=^ f{s,e)}\ 



Ps = max max 

S':^S,Z‘ 



|{ee5}| 

|{e € g : z = f(s,e),z' = /(s',e)}| 
\{e££ :z= /(s,e)}| 



( 1 ) 

(2) 



For a review of different bounds and constructions of A-codes, we refer to [15]. 
The main result on the equivalence between strongly universal hashing and au- 
thentication/coding theory is the following. 

Theorems [5, 28, 27]. 



i) If there exists a q-ary code with codeword length n, cardinality M , and min- 
imum Hamming distance d, then there exists an t-AUi, family of hash func- 
tions where e — 1 - dfn, |5| = n, jW] = M, and |F| = q. Conversely, if 
there exists an e-AUi family of hash functions, then there exists a code with 
parameters as above. 

ii) If there exists an A-code with parameters jtSj, \£\, Pi = 1/|2|, and Ps, then 
there exists an e-ASU 2 family of hash functions where e = Ps, \Q\ = \£\, 
[Aj = S, and |y| = \Z\. Conversely, if there exists an e-ASU^ family of 
hash functions, then there exists an A-code with parameters as above. 




153 



We review the equivalence ii) above. Each key e £ £ in the A-code corresponds 
to a unique function ge in Q, and S = X. The tag z in the authentication code 
is then obtained as 



2- = 9e(s)- 

The significance of e-AU2 families in strongly universal hashing lies in the 
fact that they are very useful when constructing strongly universal hash families. 
This is due to the following result by Stinson. 

Lemma 4 [27]. Let Qi be ei-Al /2 from to Yi and let G 2 be e 2 -ASU 2 from 
Yi to Y 2 - Then Q = {92(91(2:)) : 9i £ Q\-,Qi £ Qi\ «« e-ASll 2 with e = ci + f.2- 

Most constructions of e-ASU2 families of hash functions for large |AT| use this 
composition construction. The constructions giving best performance in terms 
of key size [5] (see also [12]) uses Reed-Solomon codes as the £-AU2 family in 
the above composition construction. Another useful result, originally used in the 
Wegman-Carter construction [28], is obtained through tlie Cartesian product. 

Lemma 5 [28, 27]. Let Q be e-All 2 from X to Y . Let = {g"'{xi,X 2 , ■ ■ ■ ,^m) = 
(9(211), 9(2:2), • ■ ■ ,9{xm)) : 9 £ 01 } be a set of hash functions from X^ to Y"L 
ThenQ"' = {p'"} ise-AU 2 . 



3 Bucket hashing 



The bucket hashing technique was introduced by Rogaway in [22]. It gave rise to 
e-All2 families that are extremely fast to compute, at the cost of a very large key. 
Rogaway’s arguments was to produce this long key through a pseudo-random 
number generator. We review some details of the bucket hashing technique. 

Fix a “word size” w > 1 . For n> N the hash function is defined to map from 
X = {0, 1}*"" to y = {0, 1}“'^. The number N is referred to as “the number of 
buckets”. It is further required that N{N — Y){N — 2) > fin. 

Let Hb[Wi n, iV] denote the hash family. Then each h £ n, A^] is speci- 

fied by a length n list where each entry contains 3 integer numbers in the interval 
[0, W — 1]. Denote this list by h = (/iq, hi, . . . , hn-i), where /q = {h\,h\,h\). 
The hash family 7f£[w,n, A’] is given by the hash functions taken over the set 
of all possible lists h subject to the constraint that no two of the 3-element sets 
in the list are the same, i.e., hi ^ j. 

With a given hash function h = {ho, hi , . . . ,/i„_i), the output value h{x) is 
defined as follows. Let x = xqXi ■ ■ ■ Xn-i , where each Xi is a bit vector of length 
w. Initialize Uj to 0“ for 0 < j < N ~ 1. Then, for each i, replace t/ 1,1 with 
Hh^ @ Xi, Dhi with © Xi, and 9^,3 with y;,? © Xi. Then set the output to be 




154 



h{x) = 3/oJ/i • ■ ■ J/n-i ■ In pseudocode, we can write the algorithm as follows. 

for j = 0 to — 1 do 

y[j] = 0- 

for i = 0 to n ~ 1 do 
y[hl] = y[h\] © Xi 
y[hf] = i/[hf] © Xi 
y[hf] = y[h^] © Xi 
return i/[0]y[l] ■ • •y[n - 1] 

The computation of h{x) gives rise to the name “bucket hashing” , since it can 
be envisioned in the following way. We have N initially empty buckets. The first 
word of X is then thrown into three buckets, specified by Hq. Then the second 
word of X is thrown into three buckets, specified by hi, and so on. Finally, the 
xor of the content in each of the buckets is computed, and the hash function 
output is the concatenation of the final content of the buckets. This is shown in 
Figure 1. 




Fig. 1. A word is thrown into three buckets in Rogaway’s bucket hashing. 



The collision probability e is given by a complicated expression [22] and in- 
stead of giving it here, we will just transfer some numerical values from [22] 
whenever needed. For example, for n = 1024 and N = 100, the collision prob- 
ability is approximately i.e., N] is an e-AU 2 hash family where 

e = 2 - 28 . 

The bucket hashing approach gives a very fast implementation, since it only 
requires simple word operations as load, store and xor. Rogaway estimates 
that one word can be processed using only 6—10 such simple instructions. 
Usually such simple instructions require only one clock cycle each, and can even 
be executed in parallel on many processors. 

The drawback of the bucket hashing approach is the long key that is used. The 
key size is approximately 3nlog2 N, which is huge. For n = 1024 and N = 100, 
this is already more than 20000 bits, whereas a theoretically good construction 
[6, 14] for the same e would require 76 key bits. Hence, the key bits in the 
bucket hashing construction must be generated by a pseudo-random number 
generator. This might be time consuming and the hash families are no longer 
unconditionally secure. 





155 



4 Bucket hashing with a small key size 

The purpose of this section is to slightly modify some existing constructions of 
e-AU 2 families of hash functions and then show that they can be implemented in 
a way that resembles the bucket hashing technique. The approach taken here is 
based on evaluation of polynomials similar to [6, 14]. The difference is essentially 
that we only consider polynomials over GF{2), whereas the previous approaches 
consider polynomials over a larger field. 

The following is a description of an e-AU 2 family of hash functions. Let Vd 
be the set of all polynomials over GF{2) without constant term and with degree 
at most D , i.e., 

'Pd = {p{x) ■■ p(x) = pix +p 2 x^ d \-pDX^,Pi € GF{2), 1 <i < D}. 

The hash family Qi is defined as follows. Let the functions in Qi map from 
X = Pn to Y ^ GF{2^), letpepD = X,a€ GF{2”‘), and define 

9a{p) = P{a). 



Theorem 6. The family 



Qi = { 5 a(p) :aeGF(2™)}, 



is an e-AU -2 family of hash functions where 

\g,\ = 2"\ |A| = 2^, |r| = 2"*, e = ~. 



Proof. 



e. = max 



max 

X]/X2 



= max 

Xl^X2 



\{geOi :g{xi) ^g(x 2 )}\ 

\Gi\ 

I {g e GF(2”‘) : (g) = (a)} | 

2m 

|{aeGF(2”'):Px.-x2{«) = 0}| 



< 



D_ 

2m ’ 



since any nonzero polynomial of degree D has at most D zeros. 



□ 



Note that this is a slightly weaker result than in [6], where the polynomials 
have coefficients from GF(2™) and this does not change e. However, as we will 
see, our approach will give a very efficient evaluation. 

A generalization of the above construction is the hash family 02 , constructed 
as follows. Let the functions in 02 map from X = Pq to F = GF(2"‘), let 
P = (Pi:P 2 , ■ ■ ■ ,Pn) epD = X and define 

=Pl(ai) + ••■ +Pn{oiri)- 




156 



Theorem 7. The family 



Q 2 = {ga, (p) : ai e GF(2“), } 

is an e-A U 2 family of hash functions where 

1^21 = 2"“, = |y| = 2-, e=^. 

Proof. Similar to Theorem 6. □ 



The central topic is to have a fast evaluation. We will now describe a hash 
family, denoted Qb[w, n, N], which has a fast evaluation. Then we show that this 
hash family is an implementation of Gi or ^27 depending on a parameter choice 
in GB[w,n,N]. 

Description of GB{w,n, N]: Fix w as the “word size” and let N = . 

For n > N the hash function is defined to map from X = {0, 1}“” to T = 
{Q l}ium jjj j-jjg implementation there is an intermediate level using L arrays 
with N = 2’"''^^ words in each, so the hash function can be described to map 

X = {0, 1}"'" {0, {0, 1}“'™ = Y. 

The number N can be interpreted as “the number of buckets” and the number 
L can be interpreted as “the number of rows of buckets” . 

Each h € Gb^w, n, N] is specified by a length n list where each entry contains 
L integer numbers in [0, N — 1]. Denote this list by h — {ho, hi , . . . , h„_i), where 
hi = (h°, . . . , hf^^). The hash family ^e[w,n, N] is given by a set of such lists, 
which we call the set of all allowed lists. Different choices of this set will give 
different hash families. 

With a given hash function h = (ho,hi, . . . , h„„i), the output value h{x) 
is defined as follows. Let x = aroZi • • • Xn-\ , where each Xi is a bit vector of 
length w. Introduce L arrays of length N, called y^, 0 < k < L — 1. Initialize 
Vklj] to 0“ for 0 < A: < L - 1 and 0 < j < N - 1. Then, for each i, replace 
yo[hi] with ?/o[h°]©a:i, yi[h\] with j/i[h|]®Xi, continuing in this way, and finally 
replacing yi-i[h}f~^] with “'] ©x^. This first step has hashed the input 

to the intermediate level of L rows of buckets, each containing N words. The 
procedure for L = 2 is shown in Figure 2. 

Next, for each array, we compress the array in the following way. In 

we have a primitive element 7 which satisfies 7"*/^-' = H f5i7+ 

po, where pt £ GF(2). From j = iV— 2 down to m/L we add (xor) yk[j] top*; [7—*] 
for all i such that p,; = 1. Finally, set the output to be h(.x) = yo ■ ■ ■ Vl-i, where 
yi denotes the content of the array (pt[0] ■ --yilm/L — 1]). 




157 



,W3,W2,Wi 





Fig. 2. A word is thrown into one bucket in each “row of buckets”, here L = 2. 



Assuming a generated list h, we can give a pseudocode for the case L = 2 
with = rym/ 2 -b _|_ gQj^g integer h with I < 6 < m /2 — 1 , as follows. 

for j = 0 to N — 2 do 

2 /ob 1 = 0 “, i/i[j]= 0 «’ 
for 1 = 0 to n — 1 do 

2/o[/i?] = yo[h°] (BXi 
yi[hl] = iyi[/i'] ©a;; 
for j — N — 2 to m/2 do 

yo[j - i] = yo[j - ii] © yo\j] , J/o[i - m/2] = yo[j - m/2] © i/o[j] 
yi [j -b]=yi [j -b](Byi [j] , yi [j - m/2] = yi [/ - m/2] © yi [j] 
return 2/o[0]i/o[l] • • •i/o[m/2 - l]i/i[0]i/i[l] • ■ •i/i[m/2 - 1] 

Observe that Qb[w,ti,N] can be evaluated efficiently using only simple in- 
structions as load, store and xor. Next we prove equivalences between Gb[w, n, TV] 
and the hash families Q\ and £/ 2 - Let [z] denote the vector (zq, . . . , zl-i)> where 

7 ^' € GF{2'"^/^), and by convention 7 ^“^ = 0 , such that z = 7 *“ + 7^‘/3 H f 

7 ^ 1 ,-i^i-i £ GF(2™). Here (3 € GF{2^) and h{(3) = 0 for some irreducible 
polynomial h{x) of degree L over GF(2'”/^). 

Theorems. Let the set of allowed lists be 

{([a],[a2],...,[a"]),y«€GF{2™)}. 

Then the hash family QB\o),n, A’] is equivalent to i.e., the Cartesian product 
of w hash families G\ as in Lemma 5. 

Proof. The proof is in two steps. 

1. The ith bit of each output word is only dependent on the ith bit of each 
input word Xj and independent of all the other bit positions in the input words. 
Hence we can view the hash family Qb[w,u, N] as a Cartesian product of w 
hash families each having an input word size of one, as in Lemma 5. So w.l.o.g 
we assume w = 1 . 




158 



2. Regard each array (of length as corresponding to an enumeration of 

elements in GF(2”^/^), i.e., GF{2™/^) = {7°, 7^7 ^, . . . , 7^"’'^^“'^, 0} and entry 
Zi corresponds to element 7^* . View GF(2”*) as a direct product of such subfields, 
i.e., 

GF(2’") = GF(2™/^) ® • ■ ■ ® GF(2'"/^), 

' ,, ' 

L 

where each subfield is represented by one array. An element z 6 GF(2’") is repre- 
sented by the vector 2 = (20! • ■ ■ where 7"^’ G GF(2™/^). Putting an input 

word (w == 1) in bucket Zi means adding 7"“^ in the subfleld, and hence, putting 
an input word Xi in buckets represented by [z] = (20 , . . . , 2 l_i) means adding 
XiZ to the previous content of the buckets. Hence, the list ([a], [a^], . . . , [a"]), for 

a € GF(2™) means adding XQa+XiO^ -\ ha:„a". The result is now represented 

as powers of 7 in each subfield (array). In the last part, adding Vk\j] to yk[j ~ i] 
for all i such that gi = 1 from j — N — 2 down to m/L simply means reducing the 
powers of 7 to the basis ... , 7 , 1 }. Hence the output of C/B[w,n, A^] is 

xaa+xia^+- ■ -+Xna^ e GF(2”*), where GF(2™) = GF(2'"/^)®’ ■ •®GF(2™/^') 
and GF(2'"/^) is represented using the basis ( 7 "*^^^ , . . . , 7, 1 }. □ 

A similar result can be obtained for the family ^2- For example, let the set 
of allowed lists be 

{([Qi],[a2l,...,[o'„)),Va, € GF(2™),1 < t < n}, 

i.e., the set of all possible lists. Then n, N] is equivalent to with D = 1, 
i.e., the Cartesian product of w hash families Q 2 with I> = 1. 

5 Implementation and parameter choices 

Clearly, the efficiency of the evaluation will depend on the choice of parame- 
ters in the above description. Let us consider some different ways to implement 
ObIwjTI, N], Note that the situation is very similar to Rogaway’s bucket hash- 
ing. We can process word by word from input, or we can process bucket by 
bucket. Furthermore, we can use a self-modifying code (the actual hash function 
is implemented in the program code), or we can read the bucket/ word locations 
from a table in memory. The fastest choice is a self-modifying code processing 
bucket by bucket. Then we can keep the current bucket in a register while pro- 
cessing, requiring only one load and one xor instruction for each input word 
and each row of buckets. Hence, for L rows this requires 2L simple instructions. 
For further details we refer to [22]. 

Furthermore, the compression of the arrays means LNc load, add and store 
operations, where c is the number of nonzero coefficients in the primitive polyno- 
mial defining 7 (this can usually be chosen to be 2) . For n>> N the time to do 
the compression part is hence negligible compared to the first part. Initialization 
of the list h is done only once. Hence, when concatenating this hash function 
many times using Lemma 5, the time to execute this part is also negligible. 




159 



For tabulating some values, we regard n = 8N as being sufficient for consid- 
ering the compression to be negligible in time. Also, the generation of the list 
h is different depending on the actual choice of hash function. In all cases we 
are aware of the fact that we need to concatenate a few, say 10, hash families 
in order to make the time to process this part small. Alternatively, considering 
multiple use, we can assume that the list h is generated once and then kept 
fixed. We tabulate some values for different parameter values in Table 1. The 
input size, the output size and N are given in number of words; e is the collision 
probability; the key size is given in bits; and the time column gives the mini- 
mal number of simple instructions per word for a self-modifying code processing 
bucket by bucket. 



Hash function and parameters 


Input size 


Output size 


e 


Key size 


Time 


Bucket hashing, n = 4096, = 40 








BEnmill 


6 


Bucket hashing, n — 4096, N = 200 






w 




6 






30 






mm 




213 




2-27 


■9 






213 




2-37 


50 


B 




213 




2-57 


70 


B 


Cl^iV = 2^^ L = A 


2^3 


80 






8 


g^iV = 2l^L = 4, D = 5I2 


mm 


40 


ma 


640 


8 



Table 1. A comparison for some different parameter choices. 



In order to process each simple instruction in at most one clock cycle (we 
might execute several in parallel) on a usual processor, each reference to a mem- 
ory location needs to be in the on-chip cache of the processor. Hence, for a 
self-modifying code processing bucket by bucket, the input to one hash function 
must fit the on-chip cache, giving restrictions on the input size and thus on 
N. Examining the sizes of the on-chip caches of todays processors, N = 2^^^ is 
probably about the maximum size of the arrays under these circumstances. 

Note the fact that some properties of Rogaway’s bucket hashing and the 
proposed techniques are different and hence the techniques are not directly com- 
parable. Especially, Qi gives a much higher compression, i.e., input size/output 
size is much smaller. This means that including Qi, it is enough to concatenate 
two hash families using Lemma 4 to get the desired output size, whereas bucket 
hashing requires many concatenations to obtain the desired output size. This 
can be a problem for large messages since producing a large hash output that 
has to be written in memory and then further processed will produce cash-misses 
etc. 



















160 



6 The universal hash approach in practice 

Up to this point, we have only considered how to construct the e-AU2 hash family. 
This short section overviews how to use the e-AU2 hash family to produce an 
e-ASU2 hash family that gives an authentication tag (MAC) and also have the 
properties mentioned in Section 1. 

The usage of e-ASU2 families of hash functions in the described way applies 
to the case of sending/storing one message with fixed length (variable length can 
easily be included [22]). Sometimes one is interested in multiple use, i.e., send- 
ing/storing many message where each message needs individual authentication. 
In the unconditionally secure approach, the solution is to add new random key 
bits for each additional messages to be hashed. If /le^ () is the e-ASU2 hash func- 
tion, the MACs {z\ ,Z 2 ,- ■ ■) for a sequence of messages si, «2, ■ • ■ can be produced 
by 

Z\ (^l)j ■^2 ^ei (^ 2 ) ^2i -2^3 ^ei (^s) • • * i 

where 62,63 , .. . are randomly chosen keys of same length as the MAC. It can 
be proved [28] that this procedure gives the same Pj and Ps as for the single 
message case. 

In some cases, the number of messages is limited and then it is preferable to 
keep the unconditionally secure approach. In other cases, the set {62,63 , . . .} of 
randomly chosen keys is too large to be kept secret in an unconditionally secure 
way. Instead, one uses a pseudo-random number generator to produce this set. 
In such a case, some of the motivation to consider C-AU2 hash families with a 
short key is lost, since the same pseudo-random number generator can be used 
to produce the hash function itself. 

A complete e-ASU2 hash family obtained by Lemma 4 can be described as 
follows. Let X be the message that is to be hashed. Divide x into suitable sized 
substrings x = X\X 2 • • •a:„. Apply a secretly chosen e-AU2 hash function hi and 
calculate yi = hi(xi), I < i < n. For the obtained string y = yiy^ ■ ■ yn (now 
of modest size) we have secretly selected another 6-ASU2 hash function /12 and 
calculates w — h 2 {y). In an unconditionally secure authentication code we would 
select a secret key e and form a MAC of the form MAC = w + e. For the next 
message, we use a new value of e, etc. 

If we want to produce the sequence of keys using a pseudo-random number 
generator we can do as follows. We have a counter, call it ent, which is initially 
zero. This counter is used together with a cryptographic primitive, e.g. RC5 [23], 
using a secret key e. The MAC for the message is given by 

MAC = w + RC5p (ent ) , 

together with the used value of the counter. Finally, ent is incremented. 

Example: As a particular example for w = 32, choose Qi with N = 1024 and 
L = 7 as the first hash family. The key ei to select the hash function is 70 bits. 
We have 8092 word input, producing a 70 word output and e = 2“'^^. As the 
second hash family, choose the polynomial evaluation hash [6, 14] over GF(2™). 
Out key 62 for this hash family is 70 bits as well. 




161 



Divide the input x in 32 Kbyte blocks x = X1X2 ■ ■ ■ Xn- Apply the methods 
described in Section 4 on each block Xj, receiving n 70 - word blocks called yi, 
by yi = Qeiixi). Then form the string y = t/11/2 ■ ■ - yn and interpret this as a 
polynomial over GF{ 2 '^°). This polynomial, call it y(x), will then have degree 
32 n. Evaluate the polynomial in 62, obtaining w = y{e2)- Then calculate the 
MAC as MAC = w + 63, where 63 is a third 70 bit key. Finally, we output 
(x,MAC). The value of e will depend on n, but for input sizes smaller than 
8Mbyte we have c < 2 ~®®. 

Alternatively, using RC 5 in multiple use we calculate the MAC as MAC = 
w + RC5e3 (cnt), output (x,cnt, MAC), and increment the counter. 



References 

1 . V. Afanassiev, C. Gehrmann, B. Smcets, Fast massage authentication using effi- 
cient polynomial evaluation. Proceedings of Fast Software Encryption Conference 
’97, to appear. 

2. M. Bellare, R. Canetti, H. Krawczyk, Keying hash functions for message authen- 
tication, Lecture Notes tn Computer Science 1109 (1996), 1 15 (CRYPTO ’96). 

3. M. Bellare, R. Guerin, P. Rogaway, XOR MACs: New methods for message au- 
thentication, Lecture Notes in Computer Science 963 (1995), 15-28 (CRYPTO 
’95). 

4. M. Bellai'e, J. Kilian, P. Rogaway, The security of cipher block chaining, Lecture 
Notes in Computer Science 839 (1994), 341-358 (CRYPTO ’94). 

5. J. Bierbrauer, T. Johansson, G. Kabatianskii, and B. Smeets, On families of hash 
functions via geometric codes and concatenation. Lecture Notes in Computer Sci- 
ence, 7T3 (1994), 331-342 (CRYPTO ’93). 

6. B. den Boer, A simple and key-economical unconditionally authentication scheme, 
Journal of Computer Security, 2 (1993), 65-71. 

7. A. Bosselaers, R. Govaerts, J. Vandewalle, Feist hashing on the Pentium, Lecture 
Notes in Computer Science 1109 (1996), 298-313 (CRYPTO ’96). 

8. J.L. Carter, M.N. Wegman, Universal classes of hash functions, J. Computer and 
System Sciences, 18 (1979), 143 -154. 

9. H. Dobbertin, Cryptoanalysis of MD5 compress, presented at the rump session of 
EUROCRYPT’96. 

10. E.N. Gilbert, F.J. MacWilliams, and N.J.A. Sloane, Codes which detect deception, 
Bell Syst. Tech. J., 53 (1974), 405-424. 

11. S. Halevi, H. Krawczyk, Software message authentication in the Gbit/second rates. 
Proceedings of Fast Software Encryption Conference ’97, to appear. 

12. T, Helleseth and T. Johansson, Universal hash functions from exponential sums 
over finite fields and Galois rings. Lecture Notes in Computer Science 1109 (1996), 
31-44 (CRYPTO ’96). 

13. T. Johansson, A shift register construction of unconditionally secure authentication 
codes, Designs, Codes and Cryptography, 4 (1994), 69-81. 

14. T. Johansson, G. Kabatianskii, B. Smeets, On the relation between A-codes and 
codes correcting independent errors. Lecture Notes in Computer Science, 765 
(1994), Ml (EUROCRYPT’93). 




162 



15. G, Kabatianskii, B. Smeets, and T. Johansson, On the cardinality of systematic 
authentication codes via error correcting codes, IEEE Trans. Inform. Theory, 42 
(1996), 566-578. 

16. H. Krawczyk, LFSR-based hashing and authentication, Lecture Notes in Computer 
Science, 839 (1994), 129-139 (CRYPTO ’94). 

17. H. Krawczyk, New hash functions for message authentication. Lecture Notes in 
Computer Science, 921 (1995), 140-149 (EUROCRYPT ’95). 

18. B. Preneel, Cryptographic hash functions, European Transactions on Telecommu- 
nications, 5 (1994), 431-448. 

19. B. Preneel, P. van Oorschot, MDx-MAC and building fast MACs from hash func- 
tions, Lecture Notes in Computer Science, 963 (1995), 1-14 (CRYPTO ’95). 

20. B. Preneel, P. van Oorschot, On the security of two MAC algorithms. Lecture Notes 
in Computer Science, 1070 (1996), 19-32 (EUROCRYPT ’96). 

21. R.L. Rivest, The MD5 message-digest algorithm. Request for Comments 1321, 
Internet Activities Board, Internet Privacy Task Force (1992). 

22. P. Rogaway, Bucket hashing and its application to fast message authentication. 
Lecture Notes in Computer Science, 963 (1995), 29-42 (CRYPTO ’95). 

23. B. Schneier, Applied Cryptography, John Wiley & Sons (1996). 

24. V. Shoup, On fast and provably secure message authentication based on universal 
hashing. Lecture Notes in Computer Science, 1109 (1996), 313-328 (CRYPTO 
’96). 

25. G.J. Simmons, A game theory model of digital message authentication, Congr. 
Numer., 34 (1992), 413-424. 

26. G.J. Simmons, Authentication theory/coding theory, in Lecture Notes in Computer 
Science, 196 (1985), 411-431 (CRYPTO ’84). 

27. D.R. Stinson, Universal hashing and authentication codes. Codes, Designs and 
Cryptography, 4 (1994), 337-346. 

28. M.N. Wegman and J.L. Carter, New hash functions and their use in authentication 
and set equality, J. Computer and System Sciences, 22 (1981), 265-279. 




A New Paradigm for Collision-Free Hashing: 
Incrementality at Reduced Cost 



Mihir Bellaxe^ and Daniele Micciancio^ 

^ Dept, of Computer Science fe Engineering, University of California at San Diego, 
9500 Gilman Drive, La Jolla, California 92093, USA. El-Mail: mihirSwatson.ibm.com. 
URL: http: //www-cse . ncsd . edu/users/mihir . 

® MIT Laboratory for Computer Science, 545 Technology Squetre, Cambridge, MA 
02139, USA. El-Mail: miccianc8theory.lcs.mit.edu. 



Abstract . We present a simple, new par 2 tdigm for the design of collision- 
free hash functions. Any function emanating from this paradigm is incre- 
mental. (This means that if a message x which I have previously hashed 
is modified to x' then rather than having to re-compute the hash of x' 
from scratch, I can quickly “update” the old hash value to the new one, 
in time proportional to the amount of modification made in x to get 
x'.) Also any function emanating from this paradigm is parallelizable, 
useful for hardware implementation. We derive several specific functions 
from our paradigm. All use a standard hash function, assumed ideal, and 
some algebraic operations. The first function, MuHASH, uses one modu- 
lar multiplication per block of the message, making it reasonably efficient, 
and significantly faster than previous incremental hash functions. Its se- 
curity is proven, based on the hardness of the discrete logarithm problem. 
A second function, AdHASH, is even faster, using additions instead of 
multiplications, with security proven given either that approximation of 
the length of shortest lattice vectors is hard or that the weighted subset 
sum problem is hard. A third function, LtHASH, is a practical variant of 
recent lattice based functions, with security proven based, again on the 
hardness of shortest lattice vector approximation. 



1 Introduction 

A collision-free hash function maps arbitrarily long inputs to outputs of a fixed 
length, but in such a way that it is computationally infeasible to find a colli- 
sion, meaning two distinct messages i, y which hash to the same point.® These 
functions were first conceived and designed for the purpose of hashing messages 
before signing, the point being to apply the (expensive) signature operation only 
to short data. (Whence the collision-freeness requirement, which is easily seen 
to be a necessziry condition for the security of the signature scheme.) Although 
this remains the most important usage for these functions, over time many other 

® The formal definition in Section 2 speaks of a family of functions, but we dispense 
with the formalities for now. 



W. Fumy (Ed.): Advances in Cryptology - EUROCRYPT ’97, LNCS 1233, pp. 163-192, 1997. 
© Springer-Verlag Berlin Fleidelberg 1997 




164 



applications have arisen as well. Collision-free hash functions are now well rec- 
ognized as one of the important cryptographic primitives, and are in extensive 
use. 

We tire interested in finding hash functions that have a particular efficiency 
feature cailled “incrementaJity” which we describe below. Motivated by this we 
present a new paradigm for the design of collision-free hcish functions. We obtain 
from it some specific incremental hash functions that are significantly faster than 
previous ones. 

It turns out that even putting incrementality aside, functions resulting from 
our paradigm have attractive features, such as parallelizability. 

1.1 Incremental Hashing 

The idea. The notion of incrementality was advanced by Bellare, Goldreich 
and Goldwasser [BGGl]. They point out that when we cryptographically pro- 
cess documents in bulk, these documents may be related to each other, something 
we could take advantage of to speed up the computation of the cryptographic 
transformations. Specifically, a message x' which I want to hash may be a simple 
modification of a message x which I previously hashed. If I have already com- 
puted the hash f{x) of x then, rather than re-computing f{x') from scratch, I 
would like to just quickly “update” the old hash value f{x) to the new value 
f{x'). An incremental hash function is one that permits this. 

For example, suppose I want to maintain a hash value of all the files on my 
hard disk. When one file is modified, I do not want to re-hash the entire disk 
contents to get the hash value. Instead, I can apply a simple update operation 
that takes the old hash value and some description of the changes to produce 
the new hash value, in time proportional to the ^lmount of change. 

In summary, what we want is a collision-free hash function / for which the 
following is true. Let x = ii . . . z„ be some input, viewed as a sequence of 
blocks, and say block i is modified to i'-. Let x' be the new message. Then given 
f{x),i,Xi,Xi it should be easy to compute f{x'). 

Standard constructions fail. Incrementality does not seem easy to achieve. 
Standard methods of hash function construction fail to achieve it because they in- 
volve some sort of iteration. This is true for constructions based on block ciphers. 
(For description of these constructions see for example the survey [PGV].) It is 
also true for the compression function based constructions that use the Merkle- 
Damgard meta-method [Me, Da2]. The last includes popular functions like MD5 
[Ri], SHA-1 [SHA] and RIPEMD-160 [DBPj. The modular arithmetic based hash 
functions are in fact also iterative, and so are the bulk of number-theory based 
ones, eg. [Dal]. 

A thought that comes to mind is to use a tree structure for hashing, as 
described in [Me, Da2|. (Adjacent blocks are first hashed together, yielding a 
text half the length of the original one, and then the process is repeated until a 
final hash value is obtained.) One is tempted to think this is incremental because 
if a message block is modified, work proportional only to the tree depth needs 
to be done to update. The problem is you need to store the entire tree, meaning 




165 



all the intermediate hash values. What we want is to store only the final hash 
value and be able to increment given only this. 

Past work. To date the only incremental hash function was proposed by 
[BGGl], based on work of [CHP]. This function is based on discrete exponentia- 
tion in a group of prime order. It uses one modular exponentiation per message 
block to hash the message. This is very expensive, especially compared with 
standard hash functions. An increment operation takes time independent of the 
message size, but also involves exponentiation, so again is expensive. We want 
to do better, on both counts. 

1.2 The Randomize-then-combine Paradigm 

We introduce a new paradigm for the construction of collision-free hash func- 
tions. The high level structure is quite simple. View the message i as a sequence 
of blocks, X = ii . . .z„, each block being b bits long, where b is some parameter 
to choose at will. First, each block Xj is processed, via a function h, to yield 
an outcome yi. (Specifically, y, = h((i).Xi) where (i) is a binary representation 
of the block index i and denotes concatenation). These outcomes are then 
“combined” in some way to yield the final hash value y = j/i © j /2 © • • ■ © l/n» 
where 0 denotes the “combining operation.” 

Here h, the “randomizing” function, is derived in practice from some standard 
hash function like SHA-1, and treated in the analysis as an “ide 2 d” hash function 
or random oracle [BR]. The combining operation 0 is typically a group operation, 
meaning that we interpret j/i, . . . , j/n as members of some commutative group G 
whose operation is denoted 0. 

We call this the randomize-then-combine paradigm. It is described fully in 
Section 3. The security of this method depends of course on the choice of group, 
and we will see several choices that work. The key benefit we can observe straight 
away is that the resulting hash function is incremental. Indeed, if x» changes to 
x'-, one can re-compute the new hash value as y © h{xi)~^ © /i(xj) where y is the 
old hash value emd the inverse operation is in the group. Also it is easy to see 
the computation of the hash function is parallelizable. 

By choosing different groups we get various specific, incremental, collision- 
free hash functions, as we now describe. 

Notice that h needs itself to be collision-free, but applies only to fixed length 
inputs. Thus, it can be viewed as a “compression function.” Like [Me, Da2], 
our paradigm can thus be viewed as constructing variable input length hash 
functions from compression functions. However, our construction is “parallel” 
rather than iterative. It is important to note, though, that even though our 
constructions seem secure when A is a good compression function (meaning one 
that is not only collision-free but also has some randomness properties) the 
proofe of security require something much stronger, njunely that fr is a random 
oracle. 

1.3 MuHASH and its Features 

MuHash. Our first function, cedled MuHASH for “multiplicative hash,” sets the 




166 



combining operation to multiplication in a group G where the discrete logarithm 
problem is hard. (For concreteness, think G = Z* for a suitable prime p. In this 
case, hashing consists of “randomizing” the blocks via h to get elements of Z* 
and then multiplying all these modulo p). 

Efficiency. How fast is MuHASH? The cost is essentially one modular mul- 
tiplication per 6-bit block. Notice that one computation of h per 6-bit block is 
also required. However, the cost of computing h will usually be comparatively 
small. This is especially true if the block length is chosen appropriately. For ex- 
ample, if h is implemented via SHA, chosing 6 as a multiple of 512, the expensive 
padding step in computing SHA can be avoided and the total cost of computing 
h for every block is about the same as a single application of SHA on the whole 
message. The cost of h will be neglected in the rest of the paper. 

At first glance the presence of modular operations may make one pessimistic, 
but there are two things to note. First, it is multiplications, not exponentiations. 
Second, we can make the block size 6 large, making the amortized per-bit cost 
of the multiplications small. Thus, MuHASH is much faister than the previous 
incremental hash function. In fact it is faster than any number-theory based 
hash function we know. Note if hardware for modular multiplication is present, 
not unlikely these days, then MuHASH becomes even more efficient to compute. 

The increment operation on a block takes one multiplication and one division, 
again much better than the previous construction. 

Security. We show that as long as the discrete logarithm problem in G is hard 
and h is ideal, MuHASH is collision-free. (This may seem surprising at first glance 
since there does not seem to be any relation between discrete logarithms and 
MuHASH. In the latter we are just multiplying group elements, and no group 
generator is even present!) That is, we show that if there is any attack that 
finds collisions in MuHASH then there is a way to efficiently compute discrete 
logzuithms in G. The strength of this statement is that it makes no assumptions 
about the cryptanalytic techniques used by the MuHASH attacker: no matter 
what these techniques may be, the attacker will fail as long Eis the discrete 
logarithm problem in G is hard. This proven security means we are obviated 
from the need to consider the effects of any specific attacks. That is, it is not 
necessary to have em exhaustive anedysis of a list of possible attacks. 

The proven security provides a strong qualitative guarantee of the strength of 
the hash function. However, we have in addition a strong quantitative guarantee. 
Ncimely, we have reductions that are tight. To obtain these we have to use the 
group structure more carefully. We present separate reductions, with slightly 
different characteristics, for groups of prime order and for the multiplicative 
group modulo a prime. These are Theorem 4 and Theorem 5 respectively, In 
practice this is important because it me£uis we can work with a smaller value of 
the security parameter making the scheme more efficient. 

An interesting feature of MuHASH is that its “strength in practice” may 
greatly exceed its proven strength. MuHASH is proven secure if the discrete 
logarithm problem is hard, but it might be secure even if the discrete logarithm 
problem is easy, because we know of no attack that finds collisions even if it 




167 



is easy to compute discrete logarithms. And in practice, collision-freeness of h 
seems to suffice. 

1.4 AdHASH and its Features 

AdHASH (for “additive hash”) uses addition modulo a large enough integer M 
as the combining operation in the randomize-then-combine paradigm. In other 
words, to hash we first randomize the blocks of the message using h and then 
add all the results modulo M. 

Replacing multiplication by addition results in a significant improvement in 
efficiency. Hashing now only involves n modulcir additions, and the increment 
operation is just two moduleir additions. In fact AdHASH is competitive with 
standard hash functions in speed, with the added advantages of incrementality 
and parallelizability. 

AdHASH also has strong security guarantees. We show that it is collision-free 
as long as the “weighted knapsack problem” (which we define) is hard and h is 
ideal. But Ajtai [Aj] has given strong evidence that the weighted subset sum 
problem is hard; he has shown that this is true as long as there is no polynomial 
time approximation algorithm for the shortest vector problem in a lattice, in 
the worst case. But even if this approximation turns out to be feasible (which 
we don’t expect) the weighted subset sum problem may still be hard, so that 
AdHASH may still be secure. 

We also prove that AdHASH is a universal one-way hash function in the sense 
of Naor and Yung [NY], assuming the subset sum function of [INI, IN2] is one- 
way and h is ideal. (Thus, under a weaker assumption, we can show that a weaker 
form but still useful form of collision-freeness holds. We note our reductions here 
are tight, unlike those of [INI, IN2j. These results eire omitted form this abstract 
but can be found in [BM].) 

In summary AdHASH is quite attractive both on the efficiency and on the 
security fronts. 

1.5 Hashing from Lattice Problems 

Ajtai introduced a linear function which is provably one-way if the problem of 
approximating the (Euclidean) length of the shortest vector in a lattice is hard 
[Ajj. (The function is matrix-vector multiplication, with particular peirameters). 
Goldreich, Goldwasser aind Halevi [GGH] observed that Ajtai’s main lemma can 
be applied to show that the function is actually collision-free, not just one-way. 
We observe that this hash function is incremental. But we also point out some 
impracticalities. 

We then use our randomize-then-combine paradigm to derive a more practical 
version of this function. (Our function is more efficient and has smaller key size). 
It is called LtHASH (for “lattice hash”). The group is G = Z* for some integers 
p, k, meaning we interpret the randomized blocks as i- vectors over Zp and add 
them component-wise. Assuming h is ideal the security of this hash function 
can be directly related to the problem underlying the security of Ajtai’s one-way 




168 



function [Aj, GGH] so that it is collision-free as long as the shortest lattice vector 
approximation problem is hard. 

Note that the same assumption that guarantees the security of LtHASH 
(namely hardness of approximation of length of the shortest vector in a lattice) 
also guarantees the security of AdHASH, and the efficiency is essentially the 
same, so we may just stick with AdHASH. However it is possible that LtHASH 
has some features of additional interest, and is more directly tied to the lattice 
hardness results, so it is worth mentioning. 

1.6 Attack on XHASH 

Ideally, we would like to hash using only “conventional” cryptography (ie. no 
number theory.) A natural thought is thus to set the combining operation to 
bitwise XOR. But we show in Appendix A that this choice is insecure. We present 
an attack on the resulting function XHASH, which uses Gaussian elimination 
and pairwise independence. It may be useful in other contexts. 

We are loth to abandon the paradigm based on this: it is hard to imagine any 
other paradigm that yields incrementality. But we conclude that it may be hard 
to get security using only conventional cryptography to implement the combining 
operation. So we turned to arithmetic operations and found the above. 

1.7 The balance problem 

We identify a computational problem that can be defined in an arbitrary group. 
We call it the balance problem. It turns out that consideration of the baleince 
problem unifies and simplifies the treatment of hash functions, not only in this 
paper but beyond. Problems underlying algebraic or combinatorial collision-free 
hash functions are often balance problems. We will see how the hardness of 
the balance problem follows from the hardness of discrete logs; how in additive 
groups it is just the weighted subset sum problem; and that it captures the 
matrix kernel problem presented in [Aj] which is the basis of lattice based hash 
functions [GGH]. 

The problem is simply that given random group elements oi,...,an, find 
disjoint subsets /, J C {1, . . . ,n}, not both empty, such that Oig/ “* ~ OjgJ 
where © is the group operation. Having reduced the security of our hash function 
to this problem in Lemma 2, our main technical effort will be in relating the 
balance problem in a group to other problems in the group. 

1.8 Related Work 

For a comprehensive survey of hashing see [MW, Chapter 9]. 

Discrete logarithm or factoring based functions. To the best of our 
knowledge, all previous discrete logarithm or factoring based hash functions 
which have a security that can be provably related to that of the underlying 
number theoretic problem use at least one multiplication per bit of the message, 
and sometimes more. (For example this is true of the functions of [Dal], which 




169 



are based on claw-free permutations [GMR].) In contrast, MuHASH uses one 
multiplication per 6-bit block 2 uid can make 6 leirge to mitigate the cost of the 
multiplication. (But MuHASH uses a random oracle assumption which the pre- 
vious constructions do not. And of course the previous functions, barring those 
of [BGGl], are non-incremental.) 

Collision-free versus universal one-way. Collision-freeness is a stronger 
property than the property of universal one-wa 5 mess defined by Naor and Yung 
[NY]. Functions meeting their conditions are not necessarily collision-free. (But 
they do suffice for many applications.) 

Subset-sum based hashing. Impagliazzo and Naor [INI, IN2] define a hash 
function and prove that it is a universal one-way function (which is weaker than 
collision-free) as long as the subset-sum function is one-way. The same function 
is defined in [Da2, Section 4.3]. There it is conjectured to be collision-free as well, 
but no proof is provided. These functions have a key length as long as the input 
to be hashed (very impractical) and use one addition per bit of the message. In 
contrast, AdHASH has short key length and uses one eiddition per 6-bit block of 
the message, and 6 can be made large. 

Hashing by multiplying in a group. Independently of our work, Impagliazzo 
and Naor have also considered hashing by multiplying in a group. These results 
have been included in [IN2], the recent journal version of their earlier [INI]. In 
their setup, a list of random numbers oi,...,a„ is published, and the hash of 
message x is nr=i where Xi is the i-th bit of x and the product is taken in 
the group. Thus there is one group operation per bit of the message, and also the 
key size is proportional to the input to be hashed. Functions resulting from our 
paradigm use one group operation per 6-bit block, which is faster, and have fixed 
key size. On the security side, [IN2] show that their hash function is universal 
one-way as long as any homomorphism with image the given group is one-way. 
(In particuljir, if the discrete logarithm problem in the group is hard.) In contrast 
we show that our functions have the stronger property of being collision-free. But 
the techniques are related and it is also important to note that we use a random 
oracle assumption and they do not. On the other hand our reductions are tight 
and theirs are not. 

The general security assumption of [IN2] and their results provide insight 
into why MuHASH may be secure even if the discrete logarithm problem is easy. 

Modular arithmetic hash functions. Several iterative modular arithmetic 
based hash functions have been proposed in the past. (These do not try to 
provably relate the ability to find collisions to any underlying hard arithmetic 
problems.) See Girault [Gi] for a list and some attacks. More recent in this vein 
are MASH-1 and MASH-2, designed by GMD (Gesellschaft fur Matheraatik im 
Dataverarbeitung) and being proposed as ISO standards. However, attacks have 
been found by Coppersmith and Preneel [CP]. 

XOR MACS. Our paradigm for haishing is somewhat inspired by, and related 
to, the XOR MACs of [BGR]. There, XOR worked as a combining operation. 
But the goal amd assumptions were different. Those schemes were for message 




170 



authentication, which is a private key based primitive. In particular, the function 
playing the role of h was secret, computable only by the legitimate peuties and not 
the adversary. (So in particular, the attack of Appendix A does not apply to the 
schemes of [BGR].) However, hash functions have to have a public description, 
and what we see is that in such a case the security vanishes if the combining 
operation is XOR. 

Incrementality. Other work on incremental cryptography includes [BGG2, 
Mi]. The former consider primitives other than hashing, and also more general 
increments operations than block repl 2 «;ement, such as block insertion and dele- 
tion. (Finding collision-free hash functions supporting these operations is an open 
problem.) The latter explores issues like privacy in the presence of increments 
operations. 

2 Definitions 

2.1 Collision-free Hash Functions 

Families of hash functions. A family of hash functions F has a key space 
Keys{F). Each key K G Keys(F) specifies a particular function mapping Dom(F) 
to Range(F), where Dom(F) is a domSn common to SI functions in the family, 
and Range{F) is a range Sso common to SI functions in the family. FormSly, 
we view the family F as a function F: Keys{F) x Dom(F) Range(F), where 
the function specified by K is F(K, ■). 

The key space Keys(F) has an associated probability distribution. When we 
want to pick a particular hash function from the family F we pick K at remdom 
from this distribution, thereby specifying F(K, •). The key K then becomes pub- 
lic, avSlable to SI parties including the adversary: these hash functions involve 
no hidden randomness. 

In our constructions an “ideS hash function” h is Sso present. We follow the 
pciradigm of [BRj: In prcictice, h is derived from a standard cryptographic hash 
function like SHA, while formSly it is modeled as a “random oracle.” The latter 
means h is initiSly drawn at random from some family of functions, and then 
made public. Parties have oracle access to h, meeining they are provided with a 
box which, being queried with a point x, replies with k(x). This is the only way 
h can be accessed. We stress the oracle is public: the 2 idversary too can access 
h. 

FormSly, h will be viewed as part of the key defining a hiish fimction, and 
the random choice of a key includes the choice of h. TypicSly a key will have 
two parts, one being some short string a and the other being h, so that formSly 
K = {(T,h). (For exaunple, a may be a prime p, to specify that we are working 
over Zp). We treat them differently in the notation, writing F* for the function 
F{K, ). This is to indicate that Sthough both «r and h are public, they are 
accessed differently: everyone has the complete string a, but to h only oracle 
access is provided. It is to be understood in what follows that the families we 
discuss might involve a random oracle treated in this way, and when the key is 




171 



chosen at random the oracle is specified too. For more information about random 
oreicles the reader is referred to [BR]. 

We want hash functions that compress their data. A typical desired choice is 
that Dom{F) = {0, 1}* and Range(F) is some finite set, for example {0, 1}* for 
some integer k. But other choices are possible too. 

Collision-resistance. A collision for F{K, •) is a P£ur of strings x,y G Dom(F) 
such that X ^ y but F(K, x) = F(K, y). When Dom(F) is larger than Range(F), 
each F{K, •) will have many collisions. What we want, however, is that these are 
difficult to find. To formalize this, say a collision-finder is an algorithm C that 
given a key K € Keys{F) tries to output a collision for F{K, ■). (When K 
includes a random oracle, this of course means the collision-finder gets oracle 
access to this same random oracle). We are interested in the probability that 
it is successful. This probability depends on the time t that is allowed C. (For 
convenience the “time” is the actual running time, on some fixed RAM model 
of computation, plus the size of the description of the algorithm C. In general 
we would also measure the eimount of memory used, but for simplicity we only 
measure time. The model of computation is that used in any standard text on 
algorithms, for example [CLR], and we analyze the running time of algorithms 
in the same way as in any algorithms course). If a random oracle h is present, we 
consider the number of /i-computations (formally, the number of oracle queries) 
as a separate resource of the collision-finder, and denote it by q. In this case we 
have the following. 

Definition!. We say that collision-finder C (f, q, e)-breaks a hash family F if 
given a key K it runs in time t, makes at most q oracle queries, and finds a 
collision in F{K, •) with probability at least €. We say that F is (f,q,€)-collision- 
free if there is no collision-finder which (f, q, e)-breeiks F. 

The probability above is over the choice of the key K from Keys{F) (which 
includes the choice of the random oracle h) and the coins of (7. If the random 
oracle is not present, we simply drop the “q”, and have (f, e)-breaking and (f, e)- 
security. 

2.2 Incrementality 

We follow [BGGI]. Suppose we have computed the hash value y = F{K,x) of 
a message a: = ii . . .x„. Now x is modified; block i is replaced by a new block 
xj. We want to update y to y' = F{K,x'), where x' is the message resulting 
from replacing block i of i by Xj. We want to do it in some way faster than 
re-computing F{K, x') from scratch. The job will be done by an incremental 
algorithm. It takes as input K,x,y,i,x\ and outputs y'. Ideally it runs in time 
that is independent of the number of blocks in the messages. 

2.3 Classes of groups 

We will consider groups in which computationed problem (example, computing 
discrete logarithms or solving weighted knapsacks) is hard. Form^dly, we must 
treat families (classes) of groups. 




172 



Classes of groups. Formally, a class of groups is some finite collection of 
groups such that given a description (G) of a group from the class, one can com- 
pute all the group operations. Also, there is some distribution on Q according to 
which we can draw a (description of a) group. Finally we assume a representa- 
tion of group elements under which any group element of any group is a Z^-bit 
string for some L, meaning G C {0, 1}^ for all G € Q. This L is called the output 
length. For example Q = {Z* : pis prime and |p| = A: }, for some large enough 
k, is a class of groups. Here (G) = p is the prime describing a particular group, 
and it is drawn at random from all A:-bit primes. The output length is L = A:. 

Timing. In the security analyses we need to estimate running times of the al- 
gorithms in the reductions. The timing estimates depend on the groups. Ac- 
cordingly given a class of groups Q we let Trand(^),Tmuit(6),'rexp{P) denote, 
respectively, the time to pick a random element of G, the time to multiply two 
elements in G and the time to do ^ln exponentiation in G, for G £ Q. 

2.4 The balance problem in a group 

For the purpose of analyzing the security of our hash functions we introduce a 
new computational problem, Ccilled the balance problem in a group. Lemma 2 
will relate the security of our hash function to the assumed hardness of this 
problem. (Our task will then be reduced to finding groups with a hard balance 
problem. Typically we will do this by further reducing the balance problem to 
a conventional hard problem like discrete log finding or (weighted) subset sum.) 
Here we define the balance problem. 

Let Q be some family of groups and n an integer. In the (^,n)-balance prob- 
lem we are given (the description (G) of) a group G £Q and a sequence oi , . . . , o„ 

of elements of G. We must find weights Wi € {—1,0, -1-1} not all zero, 

such that 

a5"‘ © • • • O a“" = e 

where 0 is the group operation and e is the identity element in the group.^ In 
other words we are asked to find two disjoint subsets not both 

empty, such that 0,g/a. = (0, n)-balance problem 

is (t, e)-hard if no algorithm, limited to run in time t, can find a solution to an 
istance G, , . . . , a« of the problem with probability more than e, the probability 
computed over a random choice of G from Q, a choice of ai, . . . ,a„ selected 
uniformly and independently at random in G, and the coins of the algorithm. 



3 The Paradigm 

We suggest a new paradigm for the construction of collision-free hash functions. 

For a multiplicative group, this means I7r=i ~ additive group it 

would mean Wim = 0. 




173 



3.1 The Construction 

The construction is depicted in Figure 1. We fix a block size b and let B = {0, 1}**. 
Think of the input x = xi . . . as a sequence of blocks, meaning Xi € B for each 
i = 1, . . . , n. Let N be larger than the number of blocks in any message we plan 
to hash, and let I — Ig(iV) + b. We are given a set G on which some operation, 
which we call the combining operation and denote by ©, has been defined. (The 
operation is at the very least associative, but, as we will see later, we prefer it 
be a full-fledged group operation.) We are also given a function h: {0, 1}* G 
which we call the randomizer or compression function. Now what we do is: 

1. For e 2 ich block t = 1, . . . ,n, concatenate a lg(Af)-bit binary encoding (i) of 
the block index i to the block content Xj to get an augmented block xj = 
{i).Xi 

2. For each i = 1, . . . , n, apply h to xj to get a hash value yi = h{x'^ 

3. Combine yi,- -.jyn via the combining operation to get the final hash value 

1/ = j/i O ya © • ■ • 0 1/n- 

More succinctly we can write the function as 

HASH^g) ( xi . . . x„) = 0”,i h((i> . Xi) , (1) 

where {G) denotes some indication of the group G which enables computation 
of the group operation. (For example \i G — Z* then (G) = p). We call this the 
randomize then combine construction. 

If the output of our hash function (which is an element of G) is too long then 
optionally we can hash it to a shorter length by applying a standard collision-free 
hash function such as SHA-1. 




Fig. 1. Our paradigm for hashing message i = xi . . . x„: Process individual blocks via 
a function h and then combine the results via some operation G. 








174 



Notice that padding the blocks with (a representation of) their indexes before 
applying h is important for security. Without this, re-ordering of the blocks in 
a message would leave the hash value unchanged, leading to collisions. 

The hash family. Equation (1) specifies em individual function, depending on 
the group G. Formally, we actually have a family of hash functions, because we 
will want to draw G from some class of groups for which some computational 
problem (example, computing discrete logarithms or solving weighted knapsacks) 
is hard. 

Let 5 be a class of groups, as defined in Section 2.3. The associated family of 
hash functions is denoted HASH(^,6). An individual function HASH*q) of this 
family, as defined in Equation (1), is specified by a random oracle h: {0, 1}* -> G 
and a description (G) of a group G £ Q. Here I = b + Ig(AT) as above. We can 
set N to & constant like 2*°. (We will never need to hash a message with more 
than 2®° blocks!). Thus I — b + 0(1). So think of I as 0(b). This is assumed 
in estimates. The key defining HASH^^jj consists, formally, of (G) and h. (See 
Section 2.1). The domain of this hash family is = BU B^li . . .0 B^ where 
B = {0, 1}*", namely all strings over B of length at most N. The range of this 
family is {0, 1}^ where L is the output length of G- 

3.2 Incrementality and parallelizability 

Since the combining operation is associative, the computation is parallelizable. In 
order to get an incremental hash function we will work in a commutative group, 
so that O is also commutative and invertible. In such a Ccise, increments are 
done as follows. If block X{ changes to x\ then the new hash is y © h((i ) . Xi)~^ 0 
h({i) . x'i) where (•)~^ denotes the inverse operation in the group and y is the old 
hash, namely the he^h of x. 



3.3 Choosing the randomizer 

For security the randomizer h must definitely be collision-free: it is easy to see 
that the entire construction fails to be collision-free otherwise. In practice h 
is derived from a standard hash function. (We suggest that the derivation be 
keyed. For example, h(x‘) — H(k.x' .k) where « is a random string viewed as 
part of the key specifying the hash function and H (y) is ^ln apprporiate length 
prefix of SHA-1(0 . y) . SHA-1(1 . y) . . ..) In the analyses, we in fact assume much 
more, namely that it is an “ideal” hash function or random oracle [BR].) Its 
computation is Eissumed fast. 

3.4 Choosing the Combining Operation 

Making the right choice of combining operation is crucial for security and effi- 
ciency. 

Combining by XORing doesn’t work. Ideally, we would like to hash using 
only “conventional” cryptography. (le. no number theory.) A natural thought 




175 



towards this end is to set the combining operation to bitwise XOR. But this 
choice is insecure. Let us look at this a bit more closely. 

Let G = {0, 1}* for some fixed length k, like k = 128. If we set the combining 
operation to bitwise XOR, denoted ©, the resulting function is 

XHASH'‘(n ...xn) = ®r=i H(i) ■ Xi) 

The incrementality is particularly efficient in this case since it takes just a couple 
of XORs. The question is whether XHASH* is collision-free. At first glance, it 
may seem so. However XHASH is in fact not collision-free. Indeed, it is not even 
one-way. (One-wayness is necessary, but not sufficient, for collision-resistance). 
The attack is interesting, and may be useful in other contexts, so we present it 
in Appendix A. Given a string z € {0, 1}* we show there how to find a message 
I = ii . . .x„ such that XHASH'* (i) = z. (The attack succeeds with probability 
at least 1/2, the probability being over the choice of h, and works for n > A: -f- 1.) 
The attack makes 2n /i-computations, sets up a certEun linear system, and then 
uses Gaussian elimination to solve it. The proof that it works exploits pairwise 
independence eirguments. 

Other combining operations. Thus we see that the choice of combining 
operation is important, eind the most tempting choice, XOR, doesn’t work. We 
are loth to abandon the pairadigra based on this: it is hard to imagine any other 
paradigm that yields incrementality. But we conclude that it may be hard to 
get security using only conventional cryptography to implement the combining 
operation. So we turn to arithmetic operations. 

We consider two: multiplication in a group where the discrete logarithm 
problem is hard, and addition modulo an integer of appropriate size. It turns 
out they work. But we need to be careful about security given the experience 
with XOR. 

To this end, we begin below by relating the security of the hash function to 
the balcince problem in the underlying group. A reader interested more in the 
constructions should skip to Section 4. 

3.5 The balance lemma 

The security of the hash functions obtained from our paradigm can be related to 
the balance problem in the underlying class of groups, as defined in Section 2.4. 
Specifically, in order to prove the security of a particular hash function family 
HASH(^,6), it will be sufficient to show that the balance problem associated 
with the corresponding group family is hard. To understand the theorem below, 
it may be helpful to refer to the definitions in Section 2. Recall that q refers 
to the number of computations of h and the theorem assumes h is ideal, ie. a 
random function of {0, 1}' to G. The theorem says that if the balance problem 
is hard over Q then the corresponding family of hash functions is collision-free. 
Moreover it tells us precisely how the parameters describing the security in the 
two cases relate to each other. Below c > 1 is a small constant, depending on 
the model of computation, which can be derived from the proof. 




176 



Lemma 2. Let Q and q be such that the {Q,q) -balance problem is {t',e')-hard. 
Then HASH(^,6) is a (t,q,e)- collision- free family of hash functions where e = e' 
and t = f /c -q-b. 

Proof We are given a collision-finder C, which takes (G) and an oracle for h, 
and eventually outputs a padr of distinct strings, x = xi . . . i„ and y = yi ■ ■ -ym, 
such that HASH|g^(x) = HASHfcj (y). We want to construct an algorithm K 
that solves the {y, g)-balance problem. It takes as input (G) and a list of values 
ui,. . . ,a, selected uniformly at random in G. K runs C on input (G), answer- 
ing its oracle queries with the values ai , U 2 , . . . , a, in order. (We assume oracle 
queries are not repeated.) Notice the answers to oracle queries are uniformly 
and independently distributed over G, as they would be if h: {0, 1}* -y G were 
a random function. We will let Qi denote the i-th oracle query of C, namely the 
one answered by Oj, so that h{Qi) = a<, and we let Q = {Qi, . . . , Qq}- 

Finally, C outputs two strings x = xi . . . x„ and y = yi-.. ym, such that 
X ^ y but HASH*qj(x) = HASH^q^(j/). We know this means 

/i((l).xi)©...©/i((n).x„) = /i((l).yi )©...© /i({rn).j/m) , (2) 

the operations being in G. (Note that the strings x and y are not necessarily of the 
same size; that is, m may not be equal to n.) We will construct a solution to the 
balance problem from x and y. Let xj = {i) -Xi for i = 1, . . . , n and j/( = (i) . yi 
for i = l,...,m. We can assume wlog that x[,. . . ,Xn,y\,- • • ,y'm £ Q- We let 
fx(i) be the (unique) value j G [g] such that x( = qj and we let fy{i) be the 
(unique) j € [g] such that y[ = qj. We then let / = { fx{i) : i = 1, . . . ,n } and 
J = { fy{i) : i = 1, . . . , m } be, respectively, the indices of queries corresponding 
to I and y. Equation (2) can be rewritten as 

Oier ~ 

We know that x ^y, and so I ^ J. Now for i = 1, . . . , g let us define 

{ -lif i G J - r 
0 if i G / n J 
-l-lif i G / - J. 

Then the fact that I ^ J means that not all wi, . . . are 0, and Equation (3) 
implies o“‘ 0 • • • © a^" = e. The probability that we find a solution to the 
balance problem is exactly that with which C outputs a collision, and the time 
estimates can be checked. | 

4 MuHASH: The Multiplicative Hash 

Here we present our first concrete construction, the multiplicative hash function 
(MuHASH), and einalyze its efficiency and security. 




177 



4.1 Construction and efficiency 

We set the combining operation in our paradigm to multiplication in a group 
where the discrete logarithm problem is hard. (For example G = Z* for an 
appropriate prime p, or some subgroup theoreof.) To empheisize multiplication, 
we call the function MuHASH rather than the general HASH of Section 3. So 
the function is 

MuHASH^^g) (xi ■ ■ ■ x„) = nr=i -Xi). (4) 

The product is taken in the group G over which we are working. (Thus if we 
are working in Z*, it is just multiplication modulo p. In this case (G) = p 
describes G.) Here all the notation cmd conventions are as in Section 3.1. A cltiss 
of groups Q gives rise to a family MuHASH(0, b) of hash functions as described 
in Section 2.3. 

If Gr = Z* then for security k = |p| should be at least 512 or even 1024, 
making the final hash value of the same length. A hash of this size may be 
directly useful, for example for signatures, where the message is hashed before 
signing. (For RSA we want a string in Z^ where N is the modulus, and this 
may be 1024 bits.) In other cases, we may want a smaller hash value, say 160 
bits. In such cases, we allow a final application of a standard collision-free hash 
function to the above output. For example, apply SHA-1 to MuHASH^^j(i) and 
get a 160 bit string. 

Computing our hash function takes one multiplication per block, ie. one mul- 
tiplication per b bits of input. (This is in contrast to previous methods which 
required one multiplication per bit.) To minimize the cost, one can increase the 
block size. The increment operation is performed as per Section 3.2, and takes 
one inverse and two multiplication operations in the group, plus two applications 
of h. Thus it is cheap compaired to re-computing the hash function. 

Note that the computation of MuHASHJ^^ is entirely parallelizable. The 
applications of h on the augmented blocks can be done in pEirallel, and the 
multiplications can zJso be done in parallel, for example via a tree. This is useful 
when we have heirdware for the group operation, as well might be the case. 



4.2 The discrete logarithm problem 

The security of MuHASH depends on the discrete logarithm problem in the 
underlying group. Let us begin by defining it. 

Let ^ be a class of groups, for exEimple Q = {Z* : p is a prime with |p| = k}. 
Let G £ Q, g a generator of G, and y £ G. A discrete log finder is an algorithm 
I that takes g, y, (G) and tries to output logj(j/). Its success probability is taken 
over a random choice of G from Q (for the example Q above, this means we 
choose a random A-bit prime p) and a random choice of j/ € G. We say that the 
discrete logarithm problem in Q is (t',e')-hard if any discrete logarithm finder 
that runs in time t' has success probability at most e'. 




178 



4.3 Security of MuHASH 

The attack on XHASH we saw above indicates that we should be careful about 
security. Moving from XOR to multiplication as the “combining” operation kills 
that attack in the case of MuHASH. Are there other attacks? 

We indicate there are not in a very strong way. We show that as long as 
the discrete logarithm problem in G is hard and h is ideal, MuHASH is 
collision-free. That is, we show that if there is any attack that finds collisions 
in MuHASH^q) then there is a way to efficiently compute discrete logarithms in 
G. This proven security obviates us from the need to consider the effects of any 
specific atteicks. 

At first glEince this relation of the security of MuHASH to the discrete loga- 
rithm problem in G may seem surprising. Indeed, the description of MuHASH^g^ 
makes no mention of a generator g, nor is there even any exponentiation: we are 
just multiplying group elements. Our proofs illustrate how the relationship is 
made. 

We look first at general groups, then, to get better quantitative results 
(ie. better reductions) we look at special classes of groups. 

Approach. All our proofs have the same structure. First it is shown that if the 
discrete log problem is hard in Q then also the balance problem is hard in G- The 
security of the hash function is then derived from Lemma 2. The main technical 
question is thus relating the balance and discrete logarithm problems in groups. 

Notice this is a question just about computational problems in groups: it 
has nothing to do with our hash functions. Accordingly, we have separated the 
materiel on this subject, putting it in Appendix B. There we prove a sequence 
of lemmas, showing how the quality of the reduction changes with the group. 
These lemmas could be of independent interest. We now proceed to apply these 
lemmas to derive the security of MuHASH for various groups. 

Security in general groups. The following theorem says that the only way to 
find collisions in MuHASH (assuming h is ideal) is to solve the discrete logarithm 
problem in the underlying group. The result holds for any class of groups with 
heurd discrete logarithm problem. Refer to Sections 4.1, 4.2 and 2.3 for notation. 
Below c > 1 is a small constant, depending on the model of computation, which 
can be derived from the proof. 

Theorems. Let G be a class of groups with output length L. Assume the dis- 
crete logarithm problem in G w {f ,e')-hard. Then for any q, MuHASH(^,6) w 
a (t, q,e)- collision- free family of hash functions, where e = qe' and t = t'/c — q ■ 
[Tr^UG)+T,,^{G) + L + b]. 

Proof Follows from Lemma 2 and Lemma 9. I 

In the above reduction, if the probability one can compute discrete logarithms is 
e' then the probability of breaking the hash function may be as high as e = qe'. 
A typical choice of q is about 2^. This means the discrete logarithm problem 
in G must be very h^d in order to make finding collisions in the hash function 




179 



quite haxd. To make e appreciably small, we must make e' very small, meaning 
we must use a larger value of the security parameter, meaning it takes longer to 
do multiplications and the hash function is less efficient. It is preferable to have 
a stronger reduction in which e is closer to c'. (And we want to do this while 
maintaining the running time t' of the discrete logarithm finder to be within 
an additive amount of the running time t of the collision-finder, ais it is above. 
Reducing the error by repetition does not solve our problem.) 

We now present better reductions. They exploit the group structure to some 
extent. We look first at groups of prime order (where we have an essentially 
optimal redution), then at multiplicative groups modulo a prime (where we do a 
httle worse, but still very well, and much better than the naive reduction above). 

Security in groups of prime order. The recommended group G in which 
to implement MuHASH^q^ is a group of prime order. (For example, pick a large 
prime p of the form p = 2p' + 1 where p' is also prime, and let G be a subgroup 
of order p' in Z* . The order of Z* is p — 1 which is not prime, but the order of 
G is p' which is prime.) The reason is that the reduction is tight here. As usual 
c > 1 is a small constant, depending on the model of computation, which can be 
derived from the proof. 

Theorem 4. Let G be a class of groups of prime order with output length L. 
Assume the discrete logarithm problem in Q is {t\e')-hard. Then for any q, 
MuHASH(^, 6) is a (t, q, e) -collision-free family of hash functions, where e = 2e' 
and t = Hfc - q • [Tr^nd{G) + + n.p{G) + L-i-b]-L\ 

Proof. Follows from Lemma 2 and Lemma 10. I 

The form of the theorem statement here is the seime as in Theorem 3, but this 
time the probability e of breaking the hash function is no more than twice the 
probability e' of computing discrete logarithms, for an attacker who runs in time 
which is comparable in the two czises. 

Security in Z* . The most popular group in which to work is probably Z* for a 
prime p. Since its order is p — 1 which is not prime, the above theorem does not 
apply. What we C 2 in show is that an analogous statement holds. The probability 
e of breaking the hash function may now be a little more than the probability e' 
of computing discrete logjirithms, but only by a small factor which is logarithmic 
in the size k of the prime p. As usu^d c > 1 is a small constant, depending on 
the model of computation, which can be derived from the proof. 

Theorems. Let k > 6 and let G = { Z* : p is a prime with |p| = k}. Suppose 
the discrete logarithm problem inG is if' ,e')-hard. Then for any q, MuHASH(^, b) 
is a {t,q,e)-collision-free family of hash functions, where e = 41n(0.694fc) e' and 
t = t' /c — qk^ — qb. 

Proof. Follows from Lemma 2 and Lemma 11. I 

The factor multiplying e' will not be too large: for example if A: = 512 it is about 
24. 




180 



Security in Practice. We have shown that computation of discrete loga- 
rithms is necessary to break MuHASH as long as h is idccd. Yet, it could be 
that MuHASH is even stronger. The reason is that even computation of discrete 
logarithms does not seem sufficient to find collisions in MuHASH. That is, we 
suspect that finding collisions in MuHASH^gj remains htird even if we can com- 
pute discrete logarithms. In particular, we know of no attacks that find collisions 
in MuHASH even if discrete logarithm computation is easy. In this light it may 
be worth noting that the natural attempt at a discrete logarithm computation 
based attack is to try to “reduce” the problem to finding additive collisions in 
the exponents and then apply the techniques of Section A. But this does not 
work. The underl 3 dng problem is a kind of knapsack problem which is proba- 
bly hard. In fact this suggests that the hash function obtained by setting the 
combining operation in our paradigm to addition might be already collision-free. 
This function and its security are discussed in Section 5. 

Some evidence that bre 2 iking MuHASH is hcirder than computing discrete 
logarithms comes fi-om the results of [IN2] who indicate that multiplication in G 
is a one-way hash as long as any homomorphism with image G is hard. We can 
extend their proofs, with added conditions, to our setting. This indicates that un- 
less all such homomorphisms are invertible via discrete logarithm computation, 
MuHASH will be collision-free. 

Also, although the proofs make very strong assumptions about the function 
h, it would appear that in practice, the main thing is that h is collision-free. In 
particular if h is set to SHA-1 then given the modular arithmetic being done on 
top of the h applications, it is hard to see how to attack the function. 

5 AdHASH: Hashing by Adding 

AdHASH is the function obtained by setting the combining operation in our 
paradigm to addition modulo a sufficiently large integer. Let us give the definition 
more precisely and then go on to look at security. 

5.1 Construction and Efficiency 

We let M be a ^-bit integer. As usual let a; = ari . . . ar„ be the data to be hashed, 
let b denote the block size, let N be such that all messages we will hash have 
length at most N and let I = 6 -I- Ig(A^). We let h: {0, 1}* Zm be a hash 
function, assumed ideal. The function is- 

AdHASH^(xi...x„) = mod M . 

Thus, the “key” of the function is the integer M. We let AdHASH(A;, b) denote 
the corresponding family, consisting of the functions AdHASH^/ as M ranges 
over all A:-bit integers and h ranges over all functions of {0,1}* to Zm- The 
distribution on the key space is uniform, meaning we draw M at random fi:om 
all A:-bit integers and h at random from all functions of {0, 1}* to Zm, in order 
to define a particular hash function from the family. 




181 



AdHASH is much faster than MuHASH since we are only adding, not multi- 
plying. Furthermore, it would seem k can be quite small, like a few hundred, as 
compEured to the sizes we need for MuHASH to make sure the discrete logarithm 
problem is hard, making the gain in efficiency even greater. In fact the speed of 
AdHASH starts approEiching that of standard hash functions. And of course it 
is incremental, with the cost of incrementality also now reduced to just adding 
and subtrE«;ting. Thus it is a very tempting function to use. Next we look at 
security. 

5.2 The Weighted Subset Sum Problem 

The security of AdHASH CEui be related to the difficulty of a certain modular 
subset-sum or knapsack type problems which we now define. 

Weighted knapsack problem. In the (A:, g)-weighted-knapsack problem we 
are given a A:-bit integer M, and q numbers ai,...,a, e Zm- We must find 
weights uii , . . . , ttf, e {— 1 , 0 , - 1 - 1 } , not all zero, such that 

0 (mod M) 

We say that the (A, g)-weighted-knapsack problem is (f',c')-hard if no algorithm, 
limited to nm in time t', can find a solution to an instance M, ai, . . . , Oj of the 
{k, g)-weighted-knapsack problem with probability more than c', the probability 
computed over a random choice of A:-bit integer M, a choice of oi, . . . , a, selected 
uniformly and independently at random in Zm, and the coins of the algorithm. 

Notice this is just the ( 6 , 9 )-balance problem for the class of groups Q = 
{ Zm ■ \M\ = k}. But it is worth re-stating it for this case. 

If we did not allow weights -1, and additionally asked that rather than be 0 
the sum must hit some given tEirget T, we would have the subset sum problem 
as used in pNl, IN2]. 

We must be careful how we choose the parameters: it is well known that for 
certain values of k and q, even the standard problem is not hard. Specifically, 
make sure that fi(log q) < k < q. It turns out this choice will not be a restriction 
for us Euiyway. Nice discussions of what is known are available in [Od] and [IN2, 
Section 1.2]. 

The hcirdness of the weighted problem is a stronger assumption than the 
hardness of the standard problem, but beyond that the relation between the 
problems is not known. However, there is important evidence about the hardness 
of the weighted knapsack problems that we discuss next. 

Relation to lattice problems. A well-known hard problem is to approxi- 
mate the length of the shortest vector in a lattice. The best known polynomial 
time algorithms [LLL, SH] achieve only an exponential approximation factor. It 
has been suggested that there is no polynomisJ time algorithm which achieves 
a polynomial approximation factor. Under this assumption, Ajtai showed that 
both the standard and the weighted subset-sum problems axe hard [Ajj. (Actu- 
ally he allows any small integer weights, not just —1,0, -1-1 like we do). That is, 
there is no polynomial time algorithm to solve these problems. 




182 



This is important evidence in favor of both the knapsack assumptions dis- 
cussed above. As long as approximating the length of a shortest lattice vector is 
hard, even in the worst c^lse, the knapsack problems are hard. This increases the 
confidence we can have in cryptosystems beised on these knapsack assumptions. 

Values of t',e' for which the standard and weighted knapsack problems are 
(t',6')-hard can be derived from Ajtai’s proof, eis a function of the concrete 
parameters for which one assumes shortest vector length approximation is hard. 
Since Ajtai’s proof is quite complex we do not know exactly what the relation 
is. 

We note however that even more is true. Even if the assumption about lattices 
fails (meaning an efficient approximation algorithm for the shortest lattice vector 
problem emerges), the knapsack problems may still be hard. Thus, we present 
all our results in terms of the knapsack assumptions. 

5.3 Security of AdHASH 

We relate the collision-freeness of AdHASH to the weighted knapsack problem. 
Below c> 1 is a small constant, depending on the model of computation, which 
can be derived from the proof. 

Theorem 6. Let k and q be integers such that the {k, q) -weighted-knapsack prob- 
lem is (t' , e')-hard. Then AdHASH(A:,6) is a (t,q,e)- collision- free family of hash 
functions where e = e' and t — t'/c- qM. 

Proof. Follows from Lemma 2 and the observation that weighted knapsack is a 
particular case of the balance problem, as mentioned in Section 5.2. I 

6 Incremental Hashing via Lattice Problems 

Ajtai introduced a function which he showed was one-way if the problem of 
approximating the shortest vector in a lattice to polynomiail factors is hard [Aj]. 
Goldreich, Goldwasser 2 ind Halevi observed that Ajtai’s main lemma could be 
applied to show that the same function is in fact collision-free [GGH]. Here 
we observe this hash function is incremental, and consider its practicality. We 
then use our paradigm to derive a more practical version of this function whose 
security is based on the s^lme assumption as in [Aj, GGH] plus the assumption 
that our h is ideal. Let us begin by recalling the problem shown hard by Ajtai’s 
main lemma. 

6.1 The Matrix Kernel Problem 

In the (A:,n, s)-matrix-kernel problem we Eire given p, M where p is an s-bit 
integer and M is a fc by n matrix with entries in Zp. We must find a non-zero 
n-vector w with entries in {—1, 0, -f 1} such that Mw = 0 mod p. (The operation 
here is matrix-vector multiplication, with the operations done modulo p). We 
say this problem is (t',€')-hard if no algorithm, limited to run in time t', can 




183 



find a solution to an instance p, M of the {k, n, s)-matrix-kemel problem with 
probability more than e', the probability computed over a r 2 indom choice of p, a 
random choice of matrix M, and the coins of the algorithm. 

Suppose ks < n < 2’/(2k*). Ajtai showed that with these parameters the 
matrix-kernel problem is hard under the assumption that there is no polynomial 
time algorithm to approximate the length of a shortest vector in a lattice within 
a polynomial factor. (Ajtai’s result was actually stronger, since he allowed entries 
in w to be any integers of “small” absolute value. However [GGH] observed that 
weights of — 1,0, +1 cue what is important in the context of hashing and we 
restrict our attention to these). 

A close examination of Ajtai’s proof will reveal specific values of t‘,e' for 
which we can assume the matrix kernel problem is (f, e')-hard, as a function of 
the assumed hardness of the shortest vector approximation problem. Since the 
proof is quite complex we don’t know what exactly these values are. 

Notice that the matrix kernel problem is just an instance of our general 
balance problem: it is the (^,n)-balance problem for Q — { Zp : |p| = s }. This 
shows how the balance problem unifies so many hash functions. 

6.2 The Ajtai-GGH E\mction 

The function. Let M be a random A: by n matrix with entries in Zp and let x 
be an n vector with entries in {0, 1}. The function of [Aj, GGH] is- 

= Mx mod p . 

Note Mx mod p is a A:-vector over Zp, meaning it is k\g{p) bits long. Since the 
parameters must obey the restriction klgip) < n < p/(2k‘*), the function is 
compressing: the length n of the input x is more than the length k log(p) of the 
output Mx mod p. Thus it is a hash function. Now, if the matrix kernel problem 
is hard this function is one-way [Aj]. Moreover, under the same assumption it 
is collision-free [GGH]. It follows from [Aj] that the function is collision-free as 
long as shortest vector approximation is hard. 

Incrementality. We observe the above function is incremental. Let Mi denote 
the i-th column of M, for i — l,...,n. This is a A- vector over Zp. Let x ~ 
xi ...Xn with X{ € {0, 1} for i = 1, . . . , n. Now we can write the function as- 

Hm,p(x) - modp. 

In other words, we are summing a subset of the columns, namely those corre- 
sponding to bits of X that are 1. Now suppose bit Xi changes to x[. If j/ (a A;- vector 
over Zp) is the old hash value then the new hash value is j/ -f - Xi)M< mod p. 
Computing this t£ikes k additions modulo p, or 0(felog(p)) time, a time which 
does not depend on the length n of x. 

Drawbacks of this function. A serious drawback of H is that the description 
of the function is very large: (nA: -f- l)lg(p) bits. In particular, the description 
size of the function grows with the number of bits to be hashed. This means we 




184 



must set an a priori limit on the number of bits to be hashed and use a function 
of size proportional to this. This is not feasible in preictice. 

One way to partially overcome this problem is to specify the matrix entries 
via an ideal hash function. For example if h: [Jk] x [n] -> Zp is such a function, 
set M[i,j] = h(i,j). But we can do better. The function we describe next not 
only hcis small key size and no limit on input length, but is Eilso more efficient.® 

6.3 LtHASH 

Our function is called LtHASH for “lattice based hash.” 

The construction. We apply the randomize-then-combine paradigm with the 
group G set to Z^. That is, ^ls usual let x = ii . . . a:„ be the data to be hashed, 
let b denote the block size, let N be such that all messages we will hash have 
length at most N and let 1 = 6 + Ig(fV). We let h\ {0, 1}^ ->^ Z* be a hash 
function, assumed ideal. Think of its output as a k-entry column vector over Zp. 
Our hash function is- 



LtHASHp(xi . . .x„) = X)r=i ^((*) mod p . 

Namely, each application of h yields a column vector, and these are added, 
componentwise modulo p, to get a final column vector which is the hash value. 

Notice that there is no longer any matrix M in the function description. This 
is why the key size is small: the key is just the s-bit integer p. Also LtHASHp 
is more efficient than the function described above because it does one vector 
aiddition per 6-bit input block rather than per input bit, and 6 can be made 
large. 

We let LtHASH(k, s,6) denote the corresponding fcimily, consisting of the 
functions LtHASH^ as p ranges over s-bit integers and h ranges over all functions 
of {0, 1}* to Zp. The key defining any particular function is the integer p, and 
the distribution on the key space is uniform, meaning we draw p at random from 
all s-bit integers in order to define a particular hash function from the family. 

Notice that AdHASH is the special case of LtHASH in which A; = 1 and 
p = M. 

Security. We relate the collision-freeness of LtHASH to the hardness of the 
matrix-kernel problem. The relation may not be evident a priori because LtHASH 
does not explicitly involve any matrix. But, intuitively, there is an “implicit” k 
by q matrix M being defined, where q is the number of oreicle queries allowed to 
the collision-finder. This matrix is not “fixed;” it depends on the input. But find- 
ing collisions in LtHASHp relates to solving the matrix kernel problem for this 
matrix. Below c > 1 is a small constant, depending on the model of computation, 
which cam be derived from the proof. 

® Another way to reduce the key size is define Hm,p only on relatively short data, and 
then, viewing it as a compression function, apply Damgard’s iteration method [Da2]. 
But then incrementality is lost. Also, the key sizes, although no longer proportional 
to the data length, are still larger than for the construction we will describe. 




185 



Theorem?. Letk,q,s be integers such that the (k,q,s) -matrix-kernel problem 
is {f ,e')-hard. Then LtHASH(fc,s,6) is a {t,q,£)-collision-free family of hash 
functions where e = e' and t = t' /c~ qks. 



Proof Follows from Lemma 2 and the observation, made in Section 6.1, that 
the matrix kernel problem is a particular case of the balance problen when the 
group is Z*. I 



We will choose the petrameters so that ks < q < 2*/(2fc^). (Recall s = |p|). In 
this case, we know that the required matrix kernel problem is hard as long as 
shortest lattice vector approximation is hard. 

To aictually implement the function we must have some idea of what val- 
ues to assign to the various security parmneters. Opinions as to the concrete 
complexity of the shortest lattice vector approximation problem vary across the 
community: it is not clear how high must be the dimension of the lattice to get a 
specific desired security level. (Although the best known algorithm for shortest 
vector approximation is only proven to achieve an exponential factor [LLL], its 
in prEWitice performance is often much better. And Schnorr and Horner [SH] have 
formd heuristics that do better still). In particular, it does not seem clear how 
big we need take k (which corresponds to the dimension of the lattice) before we 
CEUi be sure of security. One must also take into account the exact security of the 
reductions, which are far from tight. (Some discussion is in [GGH, Section 3]). 

Keeping all this in mind let us look at our case. It seems safe to set k = 500. 
(Less will probably suffice). We want to allow q, the number of oracle queries, to 
be quite large, say q = 2^°. To ensure q < 2" /(2k*) we must take s about 110. 
Namely p is 110 bits long. This is longer than what the function of [Aj, GGH] 
needs, making operations modulo p slower for LtHASH, but this is compensated 
for by having much fewer such operations to do, since we can make the block 
size b large. 

Of course LtHASH is still incremental. Incrementing takes one addition and 
one subtraction over Z*. 

Comparison with our other proposals. LtHASH is very similar to Ad- 
HASH. In fact it is just AdHASH implemented over a different domciin, and the 
security can be proven based on the same underlying problem of hardness of 
shortest lattice vector approximation. Notice also that AdHASH Ccui be consid- 
ered a special case of LtHASH, nEunely, the case k = 1. However the proof of 
security of LtHASH does not immediatly CEurry over to AdHASH because the 
shortest lattice vector problem in dimension A: = 1 is easily solved by the Eu- 
clideEin algorithm. So, the concrete security of LtHASH might be better because 
the relation to shortest lattice vector approximation is more direct. 

Comparison with MuHASH is difficult, depending much on how pEirEimeters 
are set in both functions, but AdHASH Eind LtHASH are likely to be more 
efficient, especially because we can make the block size b large. 




186 



Acknowledgments 

We thank Russell Impagliazzo for telling us about the relations between subset- 
sum and lattices, 2 ind for bringing [IN2] to our attention. We theink the (anony- 
mous) referees of Eurocrypt 97 for comments which improved the presentation 
of this paper. 

Mihir Bellare is supported in pcirt by NSF CAREER Award CCR-9624439 
and a Pzickard Foundation Fellowship in Science and Engineering. Daniele Mic- 
ciancio is supported in part by DARPA contract DABT63-96-C-0018. 

References 

[Aj] M. Ajtai, “Generating hard instances of lattice problems,” Proceedings of 
the 28th Annual Symposium on Theory of Computing, ACM, 1996. 

[BGGl] M. Bellare, O. Goldreich and S. Goldwasser, “Incremental cryptogra- 
phy: The case of hashing and signing,” Advances in Cryptology - Crypto 94 
Proceedings, Lecture Notes in Computer Science Vol. 839, Y. Desmedt ed., 
Springer- Verlag, 1994. 

[BGG2] M. Bellare, O. Goldreich and S. Goldwasser, “Incremental cryptogra- 
phy with application to virus protection," Proceedings of the 27th Annual 
Symposium on Theory of Computing, ACM, 1995. 

[BM] M. Bellare and D. Micciancio, “A new paradigm for collision-free hash- 
ing; Incrementality at reduced cost,” full version of this paper, available at 
http : / /vww-cse . ucsd . edu/user s/mihlr. 

[BGR] M. Bellare, R. Guerin and P. Rogaway, “XOR MAcs: New methods for 
message authentication using finite pseudorandom functions,” Advances in 
Cryptology - Crypto 95 Proceedings, Lecture Notes in Computer Science 
Vol. 963, D. Coppersmith ed.. Springer- Verlag, 1995. 

[BR] M. Bellare and P. Rogaway, “Random oracles are practical: A paradigm 
for designing efficient protocols,” Proceedings of the First Annual Conference 
on Computer and Communications Security, ACM, 1993. 

[Co] D. Coppersmith, “Two Broken Hash Functions,” IBM Research Report RC- 
18397, IBM ReseMch Center, Yorktown Heights, NY, October 1992. 

[CP] D. Coppersmith and B. Preneel, “Comments on MASH-1 and MASH-1,” 
Manuscript, February 1995. 

[CHP] D. Chaum, E. Heijst and B. Pfitzmann, “Cr 3 iptographically strong unde- 
niable signatures, unconditionally secure for the signer,” Advances in Cryp- 
tology - Crypto 91 Proceedings, Lecture Notes in Computer Science Vol. 576, 
J. Feigenbaum ed.. Springer- Verlag, 1991. 

[CLR] T. CORMEN, C. Leiserson and R. Rivest, “Introduction to Algorithms,” 
McGraw-Hill, 1992. 

[Dal] I. Damgard “Collision Ftee Hash Functions and Public Key Signature 
Schemes,” Advances in Cryptology - Eurocrypt 87 Proceedings, Lecture 
Notes in Computer Science Vol. 304, D. Chaum ed., Springer- Verlag, 1987. 
[Da2] I. Damgard “A Design Principle for Hash Functions,” Advances in Cryptol- 
ogy - Crypto 89 Proceedings, Lecture Notes in Computer Science Vol. 435, 
G. Brassard ed.. Springer- Verlag, 1989. 

[DBP] H. Dobbertin, A. Bosselaers and B. Preneel, “RIPEMD-160: A 
strengthened version of RIPEMD,” Fast Software Encryption, Lecture Notes 
in Computer Science 1039, D. Gollmann, ed.. Springer- Verlag, 1996. 




187 



[Gi] M. Girault, “Hash functions using modulo-N operations,” Advances in 
Cryptology - Eurocrypt 87 Proceedings, Lecture Notes in Computer Science 
Vol. 304, D. Chaum ed., Springer- Verlag, 1987. 

[GGH] O. Goldreich, S. Goldwasser and S. Halevi, “Collision-Free Hashing 
from Lattice Problems,” Theory of Cryptography Library (http : //theory . 
lc8.mit.edu/"tcryptol/) 96-09, July 1996. 

[GMR] S. Goldwasser, S. Micali and R. Rivest, “A digital signature scheme se- 
cure against adaptive chosen-message attacks,” SIAM Journal of Computing, 
Vol. 17, No. 2, pp. 281-308, April 1988. 

[INI] R. Impagliazzo and M. Naor, “Efficient cryptographic schemes provably as 
secure as subset sum,” Proceedings of the 30th Symposium on Foundations 
of Computer Science, IEEE, 1989. 

[IN2] R. Impagliazzo and M. Naor, “Efficient cryptographic schemes provably as 
secure as subset sum,” Journal of Cryptology, Vol. 9, No. 4, Autumn 1996. 

[LLL] A. Lenstra, H. Lenstra and L. Lovasz, “Factoring polynomials with ra- 
tional coefficients,” Mathematische Annalen Vol. 261, pp. 515-534, 1982. 

[MW] A. Menezes, P. Van Oorschot and S. Vanstone, “Handbook of Applied 
Cryptography,” CRC Press, 1996, 

[Me] R. Merkle “One Way Hash Functions and DES,” Advances in Cryptol- 
ogy - Crypto 89 Proceedings, Lecture Notes in Computer Science Vol. 435, 
G. Brassard ed., Springer-Verlag, 1989. 

[Mi] D. Micclancio, “Oblivious data structures: applications to cryptography,” 
Proceedings of the 29th Annual Symposium on Theory of Computing, ACM, 
1997. 

[NY] M. Naor and M. Yung, “Universal one-way hash functions and their cr5T>to- 
graphic applications,” Proceedings of the 21st Annual Symposium on Theory 
of Computing, ACM, 1989. 

[Od] A. Odlyzko, “The rise and fall of knapsack cryptosystems,” Advances in 
computational number theory, C. Pomerance ed., Proc. Syrap. Applied Math 
No. 42, pp. 75-88, AMS, 1990. 

[PGV] B. Preneel, R. Govaerts and J. Vandewalle, “Hash functions based on 
block ciphers: a synthetic approach,” Advances in Cryptology - Crypto 93 
Proceedings, Lecture Notes in Computer Science Vol. 773, D. Stinson ed., 
Springer-Verlag, 1993. 

[Ri] R. Rivest, “The MD5 Message-Digest Algorithm,” IETF RFC 1321, 
April 1992. 

[RS] J, Rosser and L. Schoenfeld, “Approximate formulas for some functions 
of prime numbers,” Illinois Journal of Math Vol. 6, 1962. 

[SH] C. ScHNORR and H. Horner, “Attacking the Chor-Rivest cryptosystem 
with improved lattice reduction,” Advances in Cryptology - Eurocrypt 95 
Proceedings, Lecture Notes in Computer Science Vol. 921, L. Guillou and 
J. Quisquater ed., Springer-Verlag, 1995. 

[SHA] FIPS 180-1. “Secure Hash Standard,” Federal Information Processing Stan- 
dard (FIPS), Publication 180-1, National Institute of Standards and Technol- 
ogy, US Department of Commerce, Washington D.C., April 1995. 

A Attack on XHASH 

In Section 3 we presented XHASH as a plausible candidate for a incremental 

collision-free hash function but indicated that it was in fact insecure. Here we 




188 



present the attawJc showing this. Recall that the function is XHASH*(a;i . . . x„) = 
h((l) .xi)0 • • • ®/i((n) .x„). Here each n is a 6-bit block, and / = 6 -t- Ig(AT) is 
large enough to accommodate the block plus an encoding of its index, by dint of 
making N larger than the number of blocks in any message to be hashed. Our 
assumption is that h: {0, 1}' -+ {0, 1}* is ideal, ie. a random function of {0, 1}* 
to {0,1}*. 

Our claim is that there is an atteick that easily finds colhsions in XHASH*. 
We will in fact show something stronger, namely that XHASH* is not even a 
one-way function. Given any k bit string z, we can efficiently compute a string 
X such that XHASH*(i) = z. (To see that this means XHASH* is not collision- 
free, let z = XHASH^(l/) for some random y and then apply the algorithm to 
produce x. With high probability i ^ y so we have a collision). 

We reduce the problem to solving linear equations. See [Co] for other attacks 
that exploit linear equations. 

The attack. Given z £ {0, 1}* we now show how to find x so that XHASH^(a:) = 
z. Fix two messages = x° . . .x° and x^ = x{ . . .xj, with the property that 
x° ^ x] for all i = 1, . . . , n. (We will see later how to set n. In fact n = A: -f 1 
will suffice.) For any n-bit string y = j/[l] . . .j/[n] we let x*' = Xj^^^ . . .Xn”^ We 
claim that we can find a y such that XHASH*(i*') = z. Let us first say how to 
find such a y, then see why the method works. 

We compute the 2n values = h{{i) .x{) for j = 0, 1 and i = 1, . . . , n. We 
want to find y[l], . . . ,y[n] 6 GF(2) sudi that 

. . . ® . . = z. 

Let us now regard y[l], . . . , y[n] as variables. We want to solve the equation 

To solve this, we turn it into a system of equations over GF(2). We first introduce 
new variables y[l], . . . , y\n\. We will force y[i] = 1 — y[tj. Then we turn the above 
into k equations, one for each bit. The resulting system is: 

y[i]©y[i] = 1 (i = !,...,«) 

0"=i L/]yW = z\j\ U = i,...,k) 

Here we have n + k equations in 2n unknowns, over the field GF(2). Below we 
show that if n = -I- 1 then there exists a solution with probability 1/2. We now 
set n = fc-M and solve the set of equations, for example via Gaussi^ln elimination, 
to get values for y[l], . . . , y[n] £ GF(2). (The system is slightly under-determined 
in that there are n + k = 2k + 1 equations in 2n = 2A: -f 2 unknowns. It can 
be solved by setting one unknown arbitrarily.) This completes the description of 
the attack. Now we have to see why it works. 

Analysis. There are two main claims. The first is that a solution y to the above 
does exist (with reasonable probability as long as n is sufficiently large). The 
second is that given that some y exists, the algorithm finds such a y. The latter 
is clear from the procedure, so we concentrate on the first. The following lemma 
implies that with n = A: -t- 1 a solution exists with probability at least one-half. 




189 



Lemma 8. Fix z e {0, 1}*. Fix two messages = x° . . . x° and x^ = xj . . . xj, 

wiUi the property that x° ^ x\ for all i — For any n-bit string y — 

j/[l] . . . j/[n] let x*' = Xj^^^ . . . Xn . Then 

Pr[3i, G {0, 1}” : XHASH'‘(x>') = z] > 1 - . 

The probability here is over a random choice of h from the set of all functions 
mapping {0, 1}* -> {0, 1}*. 

Proof. See [BM]. | 

B The balance problem and discrete logs 

In this section we show how the intrcictability of the discrete logarithm in a group 
implies the intractability of the balance problem in the same group. These are the 
technical lemmas underlying the theorems on the security of MuH ASH presented 
in Section 4.3. 

We stress that the question here is purely about computational problems in 
groups, having nothing to do with our hash functions. We first prove a very gen- 
eral, but quantitatively weak result for arbitrary groups. Then we prove strong 
results for groups of prime order and the group of integers modulo a prime. Re- 
fer to Section 2.4 for a definition of the balance problem and Section 4.2 for a 
definition of the discrete logarithm problem. 

General groups. The following says that if computing discrete logs in some 
class of groups is hard, then so is the balance problem. As usual c > 1 is a small 
constemt, depending on the model of computation, which can be derived from 
the proof. 

Lemma9. Let Q be a class of groups with output length L. Assume the discrete 
logarithm problem in Q ts {t' ,e')-hard. Then for any q, the {Q, q) -balance problem 
is {t,e)-hard, where e = qe' and t = t'/c - q ■ [Trand(^) + Te^piG) + L]- 

Proof. We are given an algorithm A, which takes (G) and a sequence of elements 
oi, . . . , a, in G and outputs weights G {—1,0, -Pi}, not all zero, such 

that = 1. Let 5 be a generator of the group G. We want to construct a 

discrete logarithm finding algorithm I. It takes as input (G), g, and y £G, the 
last randomly chosen, and returns logj{y). 

We let p = |G| be the order of G. We will use A to build I. I first picks 
at random an integer q* in the range 1, . . . , 9. I then computes elements Oj 
(i = 1,.. .,q) as follows. If i = q* then a< = y. Otherwise it chooses at random 
ri G Zp and sets Oj = p’’* . (Notice that since y is remdom and g is a generator, all 
Oj are uniformly distributed over G.) Finally, / runs A on input (G), oi , . . . , a, 

and gets a sequence of weights lui , . . . , not all zero, such that o^’ = 1. 

Let i* be such that ^ 0. Since the choice of q* was random and unknown 




190 



to A, with probability at least 1/g it will be the case that the q* = i' . For 
notational convenience, assume g’ = i* = 1. Now, substituting, we have 

yX»l . . . . gW,r, ^ J 

Re-arranging the temrs and noticing that lyf ^ = uii (in Zp) gives us 

y — mod p 

Thus, r = —wi {w 2 T 2 H mod p is the discrete logarithm of y emd I can 

output it and halt. The probability that I is successful is e times the probability 
that Wq> ^ 0, and we saw the latter was at least 1/g. That is, c' = c/g. 

Since 1 runs A it incurs time t. Computing each a< takes one random choice 
amd one exponentiation (except for a,* which only needs to be copied), meaning 
Trand(^) + Texp(5) steps per element. The output of C may be up to t bits long 
so reading it is another investment of time upto t. The final modular additions 
take 0{qL) time. The total time for the algorithm is thus t' = t + g • [Trand(5) + 
Texp(a) + L]. I 

This is a very general result, but quantitatively not the best. We now tighten 
the relationship between the parameters for special classes of groups. 

Groups of prime order. Let Q be some class of groups of prime order for 
which the discrete logarithm problem is hard, as discussed in Section 4.3. Below 
we see that e = 2e' rather than e = ge' as before, which is quite an improvement. 
As usual c > 1 is a small constant, depending on the model of computation, 
which can be derived from the proof. 

Lemma 10. Let Q be a class of groups of prime order with output length L. 
Assume the discrete logarithm problem in Q is {t',e')-hard. Then for any q, the 
(^) q)-balance problem is (t,e)-hard, where e = 2e' and t = t' fc — q ■ [Trand(5) + 
Tmult(^) + TexpiQ) -f- L] — 

Proof. We follow and modify the proof of Lemma 9. By assumption G has prime 
order. We let p = |G| be this order. SoG = {g* : i E Z^}. Note that computation 
in the exponents is modulo p and tedces place in a field, namely Zp. We will make 
use of this. 

Given A we are constructing I. I takes as input (G), g, and y € G, the last 
randomly chosen. If y = 1 (the “1” here standing for the identity element of G), 
then I can immediately answer logg(y) = 0. So, we can assume that y ^ 1- The 
key point where we differ from the previous proof is in how the input to A is 
computed. For each t = 1, . . . , g, algorithm I chooses at random n E Zp zmd also 
chooses at rcindom dj £ {0, 1} and sets o,- = g^'y''' . (Notice that g**’ is either 1 or 
g and we don’t need to perform a modular exponentiation to compute it. Notice 
also that since G has prime order every element of G except 1 is a generator. In 
particul£ir y is a generator and hence a; is uniformly distributed over G.) Now 
we continue to follow the proof of Theorem 3. We run A on input (G), oi , . . . , a. 




191 



and get weights w\,. . . ,Wq, not all zero, such that a]"' a“’ = 1. Substituting 

the values for Oj we have 

yUiirtgWidi . . . y«),r, gW,d, _ j 

Re-arranging terms gives us 

yWiTi-^ mod /) _ g—undi w,(i, mod p 



Now let 



r = lOiTi 4- • • • + WgTq mod p 
d = —widi — • • • — Wqdq mod p , 

so that our equation is j/’’ = g'^. Now, observe that r ^ 0 with probability at 
least 1/2. (This is because the value of d\ remains equi-probably 0 or 1 from 
the point of view of A, and is independent of other d{ values. At most one of 
the two possible values of di can make d = 0 and hence r = 0.) If it is the case 
that r ^ 0 then, since p is a prime, r has an inverse modulo p. I computes the 
inverse of r modulo p and denotes it by r“^. 7 outputs r~^d mod p. We have 
= j/'"'' = j/ so the output is indeed logj(j/). 

To show the algorithm outputs logj(y) with the claimed probability e', we 
just need to observe that the input distribution to A is that required by the 
balance problem. A solves this problem with probability e eind we get logj(y) 
with probability at least one half of that. | 

The group Z* . Finally we look at the group Z* where p is prime. This group 
has order p — 1, which is not prime, so Lemma 10 does not apply, but we can still 
do much better than Lemma 9. As usual c > 1 is a small constant, depending 
on the model of computation, which can be derived from the proof. 

Lemma 11. Let k > 6 and let Q — { Z* : p is a prime with \p\ = k). Suppose 
the discrete logarithm problem in Q is (t',e')-hard. Then for any q, the {G,q)~ 
balance problem is (f, e)-hard, where e = 41n(0.694A:) • e' and t = t' /c — qk^ — b. 

The following, which we will use in the proof, can be derived from inequalities 
in Rosser and Schoenfeld [RS]. 

Lemma 12. For any integer N >23 it is the case that 

t{N) ^ 1 

N -4-lnln77‘ 

We will have N — p—1, and it is to guarantee N >23 that we let the length k 
of p be at least 6 in Lemma 11. 




192 



Proof of Lemma 11. We let G = Z’ and let p = \G\=p — \. Thus (G) = p. We 
now follow and modify the proofs of Lemma 9 and Lemma 10. Given A we are 
constructing I. 

The key point where we differ from the previous proof is in how the input to 
A is computed. For each i = 1, . . . , gf, algorithm I chooses at reindom n £ Zp and 

also chooses at r 2 mdom d,- € Zp.lt sets Uj = (Notice that Oi is uniformly 

distributed in G because dj is random and g is a generator.) 

Finally, we run A on input (G), oi , . . . , a,. We define r and d as in the previous 
proof and get to the equation j/’’ = g^. We would like to compute mod p. The 
problem is that since p is no longer prime, this inverse may not exist. However, 
we claim (to be justified later) that r is uniformly distributed in Zp. This means 
that gcd(r, p) = 1 with probability 

' > ! > ! > I 

p - 41nln(p) - 41nln(2*) “ 41n(Jfcln(2)) “ 41n(0.694fc) ’ 

having used Lemma 12 and the fact that p = p - 1 < 2*. We can compute 
gcd(r,p), and, if it is one, compute mod p, in which case we can output 
logj(l/) as before, and the probability we succeed is the above. 

Now we must justify the claim that r is uniformly distributed in Zp-\. Note 
A has no information on the r; values, since the Ot values are uniformly and inde- 
pendently distributed of the rj values, thanks to the d,- values. So we are adding 
a non-zero number of uniformly distributed values. So the result is uniformly 
distributed. | 



Smooth Entropy and Renyi Entropy 



Christian Cachin* 



Department of Computer Science 
ETH Zurich 

CH-8092 Zurich, Switzerland 
cachin.i3acm.org 



Abstract. The notion of smooth entropy allows a unifying, generalized 
formulation of privacy amplification and entropy smoothing. Smooth en- 
tropy is a measure for the number of almost uniform random bits that 
can be extracted from a random source by probabilistic algorithms. It 
is known that the Renyi entropy of order at least 2 of a random vari- 
able is a lower bound for its smooth entropy. On the other hand, an 
assumption about Shannon entropy (which is Renyi entropy of order 1) 
is too weak to guarantee any non-trivial amount of smooth entropy. In 
this work we close the gap between Renyi entropy of order 1 and 2. In 
particular, we show that Renyi entropy of order a for any 1 < a < 2 
is a lower bound for smooth entropy, up to a small parameter depend- 
ing on a, the alphabet size and the failure probability. The results have 
applications in cryptography for unconditionally secure protocols such 
as quantum key agreement, key agreement from correlated information, 
oblivious transfer, and bit commitment. 



1 Introduction 

Entropy smoothing is the process of converting an arbitrary random source into 
a source with smaller alphabet and almost uniform distribution. Smooth entropy 
is an information measure that has been proposed recently [7] to quantify the 
number of almost uniform bits that can be extracted by a probabilistic algorithm 
from any member of a set of random variables. It unifies previous work on privacy 
amplification in cryptography and on entropy smoothing in theoretical computer 
science and enables a systematic investigation of entropy smoothing and its 
efficiency. 

The main question of entropy smoothing is: Given an arbitrary random 
source, how many uniformly random bits can be extracted? The formalization of 
smooth entropy allows for an arbitrarily small deviation of the output bits from 
perfectly uniform random bits that may include a small correlation with the ran- 
dom bits used for smoothing. The inclusion of randomized extraction functions 
is the main difference between entropy smoothing and “pure” random number 
generation in information theory [19], where no additional random sources are 

* Supported by the Swiss National Science Foundation, grant no. 20-42105.94. 



W. Fumy (Ed.): Advances in Cryptology - EUROCRYPT ’97, LNCS 1233, pp. 193-208, 1997. 
© Springer-Verlag Berlin Heidelberg 1997 




194 



available. However, entropy smoothing does not consider the auxiliary random 
bits as a resource, unlike extractors used in theoretical computer science [17]. 

In cryptography, entropy smoothing is known as privacy amplification. In- 
troduced in 1985 [3,4] and later generalized [2], it has become a key component 
of unconditionally secure cryptographic protocols with such various purposes as 
key agreement from correlated information [16], key agreement over quantum 
channels [1,5], oblivious transfer [6], and bit commitment [10]. 

Privacy amplification, for short, is a process that allows two parties to distill 
a secret key from common information about which an adversary has partial 
knowledge. The two parties do not know anything about the adversary’s knowl- 
edge except that it satisfies a general bound. By using a publicly chosen com- 
pression function, they are nevertheless able to extract a short key from their 
common information such that the total knowledge of the adversary about the 
key is arbitrarily small. 

Apart from the applications in cryptography, entropy smoothing is also at the 
core of many constructions in complexity theory. Examples are pseudorandom 
generation [11,14], derandomization of algorithms [15], hardness results in com- 
putational learning theory [13], and computing with degenerate, weak random 
sources [20]. A survey of these applications is given by Nisan [17]. 

Bennett et al. [4,2] and Impagliazzo et al. [12] independently analyzed entropy 
smoothing by universal hash functions [8] and showed that the length of the 
almost uniform output depends on the Renyi entropy of order 2 of the input. 
Privacy amplification can therefore be applied if the two parties assume a lower 
bound on the Renyi entropy of order 2 of the adversary’s knowledge about their 
information. By the properties of Renyi entropy, it is straightforward to extend 
this result to Renyi entropy of any order a > 2. 

On the other hand, it is known that a lower bound in terms of Renyi entropy 
of order 1 (which is equivalent to entropy in the sense of Shannon) is not sufficient 
to extract a non-trivial amount of uniform bits [2]. 

In this work, we close this gap and prove a lower bound on smooth entropy 
in terms of Renyi entropy of order a for any a between 1 and 2. Our result 
shows that the number of almost uniform bits that can be extracted with high 
probability from a random variable is given by its Renyi entropy order a, for 
any a > 1, up to a correcting term depending on a, the alphabet size and the 
failure probability. The correcting term becomes dominating for a — > 1. 

In a second part, we show that tighter lower bounds for smooth entropy 
can be obtained if one makes additional assumptions about the distribution. In 
particular, we show how an assumption about the so-called profile of the random 
variable leads to a lower bound on its smooth entropy that can be much tighter 
than the one given by Renyi entropy. 

The results can be applied immediately to any of the above-mentioned sce- 
narios using entropy smoothing and, in particular, to all applications of privacy 
amplification in cryptography. Our analysis shows that entropy smoothing by 
universal hashing is, in general, much more efficient than what was guaranteed 




195 



by previous results using Renyi entropy of order 2. This has important conse- 
quences for the efficiency of these protocols. 

The paper is organized as follows. Entropy and Renyi entropy are introduced 
in Section 2 and a review of smooth entropy is provided in Section 3. Our results 
are based on the spoiling knowledge proof technique, which is introduced in 
Section 4. The main result is proved in Section 5, and Section 6 contains the 
derivation of the tighter bound in terms of the profile. 



2 Preliminaries 

We assume that the reader is familiar with the notion of entropy and the basic 
concepts of information theory [9]. We repeat some fundamental definitions in 
this section and introduce the notation. All logarithms in this paper are to the 
base 2. The cardinality of a set S is denoted by |5|. 

A random variable X induces a probability distribution Fx over an alphabet 
X. Random variables are denoted by capital letters. If not stated otherwise, 
the alphabet of a random variable is denoted by the corresponding script letter. 
Families of random variables are denoted by X. 

The expected value of a real-valued random variable X is denoted by E[A]. 
The k-th moment inequality for any rccil-valued random variable X, any integer 
fc > 0, and f G E+ is 



<H^, (.) 

Another useful bound for any real- valued random variable X , any t € M"'" , and 
any r e K is [14] 



P[W>r] < (2) 

The (Shannon) entropy of a random variable X with probability distribution 
Px and alphabet X is defined as 

H{X) = - ^Px(x)logPx(x). 

The conditional entropy of X conditioned on a random variable Y is 

H{X\Y) = ^Py(t/)i?(X|y = y) 

yey 

where H(X\Y = y) denotes the entropy of the conditional probability distribu- 
tion Px\Y=y The binary entropy function is 

h(p) = -plogp- (1 -p)log(l -p). 




196 



The relative entropy or discrimination between two probability distributions 
Px and Py with the same alphabet X is defined as (using 0 log ^ = 0 and 
plogg = oo) 

DiPx\\Py)=Y.Px{x)\og^^. (3) 

xea- 

The Renyi entropy of order a of a random variable X with alphabet X is 

HaiX) = ^logTPxixr 

1—0 

x£X 

for a > 0 and a ^ 1 [18]. Because the limiting case of Renyi entropy for a — > 1 is 
Shannon entropy, we can extend the definition to Hi{X) = H{X). In the other 
limiting case a —1 oo, we obtain the min-entropy, defined as 

Hao{X) = - log max Px (a;) • 

For a fixed random variable A^, Renyi entropy is a continuous positive de- 
creasing function of a. For 0 < a < p, 

Ha(X) > Hp{X) (4) 

with equality if and only if X is uniformly distributed over some subset of X. In 
particular, log l-Tj > Ha{X) > 0 for a > 0 and H{X) > Ha{X) for a > 1. 

3 Review of Smooth Entropy and Privacy Amplification 

Smooth entropy [7] is an abstraction and a generalized formulation of privacy 
amplification [2] and entropy smoothing [12,14]. As an information measure, 
smooth entropy is defined operationally with respect to an application scenario 
(similar to channel capacity [9]). Its value cannot be computed immediately for a 
given probability distribution. This contrasts with other entropy measures such 
as Shannon or Renyi entropy that are defined formally in terms of a probability 
distribution. 

Consider a random variable X. We want to apply a smoothing function f : 
X ^ y to X such that Y = f{X) is uniformly distributed over its range y. The 
size of the largest y such that Y is still sufficiently uniform is a measure for the 
amount of smooth entropy inherent in X , relative to the allowed deviation from 
perfect uniformity. To quantify this deviation we use a nonuniformity measure 
M that associates with every random variable X a positive number M{X) that 
is 0 if and only if P\ is the uniform distribution Pjj over X. Examples for M 
are relative entropy D{Px\\Pu) = log \X\ - H{X) or Li distance [|Px - Pf/jji = 

The smoothing algorithm should be able to produce outputs that achieve 
some desired uniformity. More uniform outputs can usually be obtained by re- 
ducing the output size. We introduce the parameter s to control the trade-off 




197 



between the uniformity of the output and the amount of entropy lost in the 
smoothing process. 

Probabilistic smoothing functions are formalized by extending the input of 
/ with an additional random variable T that models the random choices of /. 
However, T must be independent of X and its value must be known to ensure 
that no randomness from T is inserted into Y. The size of T is explicitly ignored. 

It can be tolerated that the uniformity bound for an extraction process fails 
if an error event S occurs. £ should have small probability, denoted by e, and 
may depend on A^. The uniformity is calculated only in the case that the com- 
plementary event £ occurs. 

In many applications it is only known that the random variable X has some 
property that is shared by many others. Therefore, smooth entropy is defined 
for a family of random variables X with the same alphabet. The same smoothing 
algorithm is required to work for all probability distributions in the family. 

Definition 1 ([7]). Let M be a nonuniformity measure and let A : E — > R be a 
decreasing non-negative function. A family X of random variables with alphabet 
X has smooth entropy <f'(X) within A{s) [in terms of M] with probability 1 — e 
if !P(X) is the maximum of all t[> such that for any security parameter s > 0, a 
random variable T and a function f : X x T -t y exist with such 

that for all X S X there is a failure event £ that has probability at most e, and 
the expected value over T of the nonuniformity M of Y = f{X,T), given T and 
is at most A{s). Formally, 



!?(X) = max{tf-|Vs > 0 : 3T, / : A x T : 

VA € X ; r = f{X,T),3£ : P[£] <£,M{Y\T£) < Zi(s)}. 



A 



For singleton sets {Aj, we also use ^{X) instead of iF({A}). The failure 
probability e can be integrated into the uniformity parameter A(s) for certain 
nonuniformity measures such as L\ distance. 

The principal method for extracting smooth entropy is based on universal 
hashing. A universal hash function [8] is a set Q of functions X such that 
for all distinct X\,X 2 G A, there arc at most |f/l/|iV| functions g in Q such that 
g{^i) = 9{x2). 

Privacy amplification is fundamental for many unconditionally secure cryp- 
tographic protocols [2]. Assume Alice and Bob share a random variable W, while 
an eavesdropper Eve knows a correlated random variable V that summarizes her 
knowledge about W. The details of the distribution Pwv, and thus of Eve’s in- 
formation V about W, are unknown to Alice and Bob, except that they assume 
a lower bound on the Renyi entropy of order 2 of Pw\v=v for the particular value 
V that Eve observes. 

Using an authentic public channel, which is susceptible to eavesdropping but 
immune to tampering, Alice and Bob wish to agree on a function g such that 




198 



Eve knows nearly nothing about g{W). The following theorem by Bennett et 
al. [2] shows that if Alice and Bob choose g at random from a universal hash 
function t/ ; W -)• T for suitable 3^, then Eve’s information about Y = g{W) is 
negligible. 

Theorem 1 (Privacy Amplification Theorem [2]). Let X be a random var- 
iable over the alphabet X with Renyi entropy H 2 {X), let G be the random variable 
corresponding to the random choiee (with uniform distribution) of a member of 
a universal hash function G ■ X ^ y, and let Y = G(X). Then 

2log|V|-tf2(X) 

H{Y\G) > logITI . (5) 

The theorem can be applied in the described scenario by replacing Px with 
the conditional probability distribution Pw\v=v The Privacy Amplification The- 
orem implies that H 2 {X) is a lower bound for smooth entropy. It is crucial that 
the same smoothing algorithm can be applied to any X from a family X of 
random variables and produce an output of the desired size and uniformity. 

Corollary 2 ([7]). The smooth entropy of a family X of random variables with- 
in 2“®/ In 2 in terms of relative entropy with probability 1 is at least the minimum 
Renyi entropy of order 2 of any X G X. 

Note that Shannon entropy cannot be used as a lower bound for smooth 
entropy. This was observed by Bennett et al. [2] and is illustrated in the following 
example. 

Example 1. Suppose that everything we know about a random variable X is 
H{X) > t. Then Px could be such that Px{xq) = p for some xq € X with 
p = I — f/log(lA”| — 1) and Px{x) = (1 — p)/(|A'’j — 1) for all x ^ Xq. X satisfies 
H{X) = h{p) + (1 - p) logdTI - 1) > f. But A" = a;o occurs with probability p, 
and no matter how small a F is extracted from X, its value can be predicted 
with probability p. Thus, with knowledge of a lower bound on H{X) alone, the 
probability that X is guessed correctly cannot be reduced and only a small part 
of the randomness in X can be converted to uniform bits. Therefore, the entropy 
of a random variable is not an adequate measure of its smooth entropy. In other 
words, there are random variables with arbitrarily large entropy and almost no 
smooth entropy. O 

4 Spoiling Knowledge Proofs 

As noted above, Renyi entropy of order 2 is a lower bound for smooth entropy. 
A counter-intuitive property of conditional Renyi entropy of order a > 1 is that 
it can increase even on the average when conditioned on a random variable that 
provides side information. Suppose side information that increases the Renyi 
entropy is made available by an imaginary oracle. This increase can be exploited 
to prove lower bounds on smooth entropy that are much tighter than Renyi 
entropy of order 2. Side information of this kind was introduced by Bennett et 




199 



al. [2] and is called spoiling knowledge because it leads to less information about 
the output of the smoothing process. 

We examine side information that induces an event A such that P[>t] is at 
least 1 — e and H 2 {X\A) is large. This can then be transformed into a lower 
bound on smooth entropy with probability 1 — c of X. A formal statement of 
this is given in the next theorem, where the binary random variable V models 
side information such that A corresponds to V = 0. 

Theorem 3. The smooth entropy 'P(X) within 2~^ / \n2 with probability l — e of 
a random variable X is lower bounded by the maximum of the conditional Renyi 
entropy H 2 {X\V — 0), where the maximization ranges over all random variables 
V with alphabet {0, 1} such that the joint distribution Pxv is consistent with Px 
and satisfies Pv(0) > 1 — e.’ 

T'(X) > max = 0) (6) 

Pv:Pv{0)>l-f 

Note that the oracle knows the particular distribution of the random variable 
that is to be smoothed (e.g. the adversary’s knowledge in privacy amplification) 
and can prepare the side information depending on that distribution. 

For the construction of the lower bounds, we introduce special side informa- 
tion U with alphabet {0, Let U = f(X) be the deterministic function 

of X given by 

fix) = h ifPx{x)<2— 

\ [- log Px (x)J otherwise. 

We call side information U of this type log-partition spoiling knowledge because 
U partitions the values of X into sets of approximately equal probability and 
because it is most useful with m w log 1^]. For such m, the values of the proba- 
bility distributions Px\u--u differ at most by a factor of two for all u except for 
u — m. 

In the following, let 

Pmin = min Px {x) and p,„ax = max Px {x ) . 

The following two lemmas show that Renyi entropy of order 2 and Shannon 
entropy cannot differ arbitrarily for probability distributions where pmin and 
Pmax are a constant factor apart. 

Lemma 4. Let X be a random variable with alphabet A such thaipmux < c-prnin 
for some c > 1. Then 



1 ^ ^ ^1 
iT| -1 + c - 



1 



< 



< 



|T| - 1 + c' 



iPmax 




200 



Proof. It is easy to see that maximum of Pmax — Pm\n is reached when Px{x) = 
Pmin for all X except for the one that has maximal probability Pmax = c • Pmin ■ 
The lemma follows directly. □ 

If the minimum and maximum probability in a distribution Px do not differ 
by more than a constant factor, then the Renyi entropy of order 2 of X is at 
most a constant below the Shannon entropy. 

Lemma 5. Let X be a random variable with alphabet X such thatpuiax < c-Pmin 
for some c > 1. Then 



H 2 {X) > H(X)-21ogc. 

Proof. Lemma 4 is used in the second inequality of the following derivation: 
H(X) - H2{X) == H(X) + log Pxixf 

A' 

< log|Xl + log(lA'lp2,^J 

= 21og(|A|pmax) 

= 2(l0gc + l06(pJ^)) 

< 2 log c □ 

5 A Bound Using Renyi Entropy of Order a > 1 

The connection between entropy smoothing and Renyi entropy was established 
independently by Bennett et al. [2] and Impagliazzo et al. [12]. The Privacy 
Amplification Theorem shows that Renyi entropy of order 2 is a lower bound for 
smooth entropy. That is, for any random variable X by assuming only a lower 
bound t on H2{X), approximately t cJmost uniform random bits can be extracted 
from X and the deviation from a uniform distribution decreases exponentially 
when fewer bits are extracted. 

In some applications, only the stronger bound H^{X) > t in terms of min- 
entropy is assumed, equivalent to bounding the maximum probability of any 
value of X. Indeed, Theorem 1 holds if an assumption about Ha{X) for any 
a > 2 is made because H 2 {X) > Ha{X) for a > 2 by (4). 

On the other hand, it is known from Example 1 that a lower bound on 
Hi{X) = H{X) is not sufficient to guarantee a non-trivial amount of smooth 
entropy. Rather, the smooth entropy could be arbitrarily small if no further 
assumptions are made. In this section we examine the remaining range for 1 < 
a < 2. We show that, with high probability, the smooth entropy of X' is lower 
bounded by i7<,(X), up to the logarithm of the alphabet size and some security 
parameters depending on a and on the error probability. 




201 



Our approach uses a spoiling knowledge argument. We will use side informa- 
tion U such that for any distribution of X, with high probability, U takes on 
a value u for which H 2 {X\U — u) is not far below Ha{X). A simple and very 
weak bound that always holds follows from the next lemma. 



Lemma 6. For any random variable X and for any a > 1, 

H^{X) > H^(X) > H^(X). 



a — 1 

Proof. Because q > 1, 



-H^{X) = - logmaxPx(x)^ 

1 1 — (1 

> — ^log PxixT 

1—0 









The lower bound follows from (4). 



□ 



We conclude that 



H2{X) > H^{X) > ^-1h^{X) 

a 

for any o > 1. However, this bound is multiplicative in o - 1 which limits 
its usefulness for o — t 1. The tighter bound derived below is only additive in 
(a - 1)~^. It is based on the following theorem that provides the connection 
between the Renyi entropy of order o > 1 conditioned on side information and 
the Renyi entropy of the joint distribution. 

Theorem 7. Let a > 1 and let r,t > 0. For arbitrary random variables X and 
Y , the probability that Y takes on a value y for which 

H^{X\Y = y) > H^(XY)-log\y\- -t 

is at least 1 — 2 “’’ — 2 ~‘. 



Proof. It is straightforward to expand the Renyi entropy of XY as 
H^(XY) = -^\og V PxY{x,yr 

1 — Q 

= rb E Px\Y=y{xr 

y^y 

— log f‘Y{y) + {l-a)Ha(X\Y=y) ^ 

1 — a 



yey 




202 



We introduce the function P{y) = Hc,{X\Y = y) to interpret Ha{X\Y = y) as & 
function of y and consider the random variables Py[Y) and (3{Y). The equation 
above is equivalent to 




Inserting this into the right-hand side of inequality (2) yields 

Py[(l-a)/3(r) + (Q-l)logPy(K)-(l-a)i/„(Xy) > r] < 2'^ 

form which we see after dividing by 1 — q that with probability at least 1 — 2“'', 
Y takes on a value y for which 

Ha{X\Y = y) > H^[XY)+[ogPy[y)- (7) 

a — 1 

The only thing missing is a hound for the term logPy(t/). However, large values 
of |logPy(y)| occur only with small probability. For any t > 0, 



p[Py(y) < 2-ViTi] = Y. < 2"' 

y-PY{y)<-2-‘/\y\ 



because there are only 1>’| terms in the summation. Therefore, with probability 
at least 1 - 2“', 1' takes on a value y for which 



logPy(t/) > -t-log|T| 



( 8 ) 



and the theorem follows from (7) and (8) by the union bound. □ 

Applying this bound for log-partition side information gives the main result 
of this paper and shows how smooth entropy is lower bounded by Renyi entropy 
of order a for any q > 1. 

Theorem 8, Fix r,t > Q, let m. be an integer such that m — log(m + 1) > 
loglAI + t, and let s be the security parameter for smooth entropy. For any 
a > 1, the smooth entropy of a random variable X within 2“*/ In 2 in terms of 
relative entropy with probability 1 — 2“’' — 2“' is lower bounded by Renyi entropy 
of order a in the sense that 

F{X) > H^{X)-\og{m+l)~ -t-2. 

Proof. We again use log-partition spoiling-knowledge U = f{X) with alphabet 
{0, . . . , m} as defined above. Because / is a deterministic function of X, we have 
Ha{XU) = Ha{X) and Theorem 7 shows that U takes on a value u for which 

HUX\U = u) > H^(X)-\og\U\- -t 

a — 1 




203 



with probability at least 1 — 2 ^ — 2 *. Because m > log \ X\, Lemma 5 can be 
applied with c < 2 and by (4) it follows for all u ^ rn that 

H 2 (X\U = u) > H{X\U = u) ~2 > H^(X\U ^u) -2. 

Combining these results shows that the probability that U takes on a value 
u ^ m for which 

H2{X\U = ji) > H^{X) - \og{m + 1) ^--t-2 (9) 

a — 1 

is at least 1 — 2“'' - 2“h 

Remember that in (8) in the proof of Theorem 7, values of U with probability 
loss than 2“*“'°* 1^''! have been excluded. Therefore, if m is chosen such that 

P[?7=:m] = p^(x) < |T|-2-”‘ < 

^ (r.) < 2 -”' 



then U = m does not occur in (9). Choosing rn such that m — log(m + 1) > 
log lA"! + t achieves this and applying Theorem 3 completes the proof. □ 

Corollary 9. Let \ he a family of random variables and let r,t,m, and s be 
defined as in the theorem above. For any a > 1, the smooth entropy of X within 
2“®/ In 2 in terms of relative entropy with probability 1 — 2“’’ — 2"‘ satisfies 

'f’(X) > min Ha{X) — log(m +1) t — 2. 

The corollary follows from the fac:t that the oracle knows the distribution of 
the random variable X 6 X to be smoothed and can prepare the side information 
accordingly. Especially for large alphabets, these results can yield much better 
bounds on smooth entropy than Renyi entropy of order 2. The logarithmic term 
vanishes asymptotically with the alphabet size: For any a > 1, the ratio between 
smooth entropy and the logarithm of the alphabet size is asymptotically lower 
bounded by the ratio between Renyi entropy of order a and the logarithm of the 
alphabet size. 

Example 2. Consider the random variables Xp with alphabet {0, 1}” and distri- 
bution 



{x) 



I 2"-l 



for X = 0” 
otherwise 



for P ^n. (With P = 2 this is the example from [2].) The lower bound on ^{X) 
by Renyi entropy of order 2 is weak because H 2 {X) < nf p. However, H{Xf}) is 
very close to n bits. Figure 1 displays the Renyi entropy H„{Xp) for 1 < a < 2. 
For a close to 1, it is almost equal to H(Xp) r; n. 

Using Renyi entropy of order 2, Corollary 2 shows that 'F{Xs) within 2"*/ ln2 
with probability 1 is at least H 2 {Xs) ~ n/8. Allowing failure of the bound with 




204 




Fig. 1. Renyi entropy Ha(Xg) as function of a between 1 and 2. The random variables 
Xg for (3 = 16, 8, 4, 2 (from below) are defined as in Example 2 with n = 10000. The 
graph shows that, together with Theorem 8, Renyi entropy of order a close to 1 can 
yield much better bounds on smooth entropy than Renyi entropy of order 2. 



probability 2“'®, the lower bound by Theorem 8 on ^(X^) with probability 
1 — 2“^^ is about n — logn — 222 (using Renyi entropy of order a = 1.1, r = t = 20, 
and simplifying the choice of m such that m = loglTj = n). With n = 10000 
(as in Figure 1), ^(Xs) > 9764 with probability 1 — 2“'®, compared to Renyi 
entropy of order 2 from which we can conclude only 't'{Xs) > 1250. O 

For Q — t 1, the bound of Theorem 8 is reduced to the Shannon entropy. But 
as shown in Example 1, H{X] yields a weak lower bound for ^{X). The next 
example shows this transition for a -> 1. 

Example 3. Let X be a random variable with alphabet {0, We now ex- 
amine the lower bounds on when Ha{X) > 9000 is assumed for various a 

(see Figure 2). For a > 2, >F(X) > H^^X) > 9000 is guaranteed by Corollary 2. 
Theorem 8 shows that 'P{X) with probability 1 — 2^^^ is close to 9000 for a 
between 2 and about 1.05. The bound decreases sharply with q — ^ 1. For a = 1, 
if only H{X) > 9000 is assumed, the random variable constructed in Example 1 
has H 2 {X) = 6.64 and has almost no smooth entropy. O 

6 A Tighter Bound Using the Profile of the Distribution 

The last section shows how smooth entropy can be lower bounded by Renyi 
entropy of order a for any a > 1. This bound, however, is not tight for small 






205 




Fig. 2. The dependence of the lower bound for on the order a of Rrayi entropy. 
The graph shows the lower bound of Theorem 8 on the smooth entropy within 

2“'’ / In 2 with probability 1 - 2^® that can be deduced from Ha (.Y) > 9000 as a function 
of a. Note the sharp decrease with a -4 1. (See also Example 3.) 



alphabet sizes. We derive a tighter bound in this section that depends on an 
assumption about the profile of the probability distribution (defined below) . The 
bound is tighter than the one of Theorem 8, especially for smaller alphabets. 

We use again log-partition spoiling knowledge (/ € W = {0, . . . , m} as defined 
above. For a fixed value m, define the profile ttx of the random variable X as 
the function ttx : W — t N such that for u < in 



and 



7rx(n) 



{x e < Px(x) < 2““} 



7Tx{m) 



{x€X\Px{x)<2~^’']\. 



The expected difference (over U) between the logarithm of the profile ttx (m) 
and the conditional entropy of X given U, H{X\U = u), can be used to obtain 
a lower bound on smooth entropy. Examining the structure of the probability 
distributions Px\u=u for all u such that ttx{u) > 2, we see that the logarithm of 
the profile, 7rx(«), is close to the conditional entropy, H{X\U = u), in the sense 
that 



log7Tx(u) > H{X\U = u) > -Mog(7rx(M) - 1). (10) 






206 



[h denotes the binary entropy function.) Note that H{X\U = u) = 0 for the 
remaining u with 7Tx{u) < 2. Therefore, 

E[/[log^x(f/)] > If(X\l/) > E(/[log(^x(/7) - 1)]. (11) 

We arc now ready to state the main result of this section. 

Theorem 10. Let X be a random variable, let f > 0, let m be an integer such 
that m > log \X\ + log 1, let t > 0, and let k be a positive integer. Let U be the 
log-partition side information for X introduced above and let 



fi{u) = max j log Tfx (u) ~ Ei/ j^log(7rA'(tf) - l) , 

E[/[log7rx(ff) - log(TTx(n) - l) j. 



for all u such that itx (u) > 2 and pt(u) = Ef/[log 7Tx(f/)] for u such that 7tx(u) < 
2. If 

< e-t*, 

the following lower bound on the smooth entropy of X within 2“®/ln2 in terms 
of relative entropy holds with probability at least 1 — 2e ; 



>L{X) > H{X\U)-t-2 > i/(X) - log(m + 1) - f - 2. 



Proof. Let 7 («) = H{X\U = u) be a function of m € W that denotes the entropy 
of X given U = u and consider the random variable C = j{U). The expectation 
E[C] is equal to H{X\U) > H{X) - log(m + 1). Applying the fc-th moment 
inequality (1), we see that 



P[\C-E[C]\>t] 



E[|C-£[C]|^] 



( 12 ) 



If this probability is small, then H{X\U = u) > H{X\U) — t with high proba- 
bility. Using (10) and (11), we can bound the probability in (12): 



e[ic-£;[c7]|*-] 

= Y^Pv{u)\H{X\U =u)~H{X\U)f 

u(zU 

= Y. Pu{u)H{X\Ut + 

u : nx{u)<‘2 

Y Pu{u)[HiX\U = u) H{X\U)f + 

u : H{.X\U=u)>H[X\U) 

Y Pu{u)[HiX\U)-H{X\U = u)y 

•.i:H(X\U^u]<H(X\U) 




207 



< Y, Puiu)H{X\U)>^ + 

u : TX X {u)<C2 

Y Pu {u) (^log TTX (w) - Efj [log(7Tx (f/) - 1)] ) + 

U-. H{X\U=u)>H{X\U) 

Y Pi/(u)(E(,-[log7rx(f/)] “ log(7Tx(u) - 1)) 
u : H{X\U=u)<H{X\U) 

= Y Pu{’>t)fiii‘'f 

uEU 

where the last step follows form the definition of /u(u). We conclude from (12) 
and from the assumption of the theorem that H{X\U = u) > H(XIU) —t occurs 
with probability at least 1 — e. It follows from Lemma 5 that for it 7^ m 

H2{X\U = u) > H{X\U)- t-2. (13) 

But the event U — m has small probability because the choice of m guarantees 
that 

P[U = m] = Y ^ |A'|-2“"* < c. 

^ ■■ P.\ (x)<‘2~"' 

By the union bound, the total probability that (13) fails is 2e and the proof is 
completed by applying Theorem 3. □ 

Example 4- Consider again the random variable A'g from Example 2. For n = 
100 and desired total failure probability 2“'**, the bound of Theorem 8 cannot be 
applied and we have to resort to Renyi entropy of order 2 that shows ^{X») > 
12.5 (within 2“’/ In 2 in terms of relative entropy). 

Applying Theorem 10 with e = 2~“®, t = 12, and A: = 6, however, shows 
that tf'(A^s) > 84.6. Therefore, a 60-bit string Y can be extracted from Ag by a 
randomly chosen universal hash function such that H (Y\T) > 60 - 2“ In 2. O 

As the example shows, the bound on smooth entropy by Theorem 10 can 
be much tighter than Renyi entropy of order 2 and also tighter than the bound 
of Theorem 8. However, this comes at the cost of the stronger assumption that 
must be made in terms of the profile of the distribution to be smoothed. 

Acknowledgment 

It is a pleasure to thank Ueli Maurer for his motivation and support and .Jan 
Camenisch for helpful remarks. 

References 



1 . C. H. Bennett, F. Bessette, G. Brassard, L. Salvail, and J. Smolin, “Experimental 
quantum cryptography,” Journal of Cryptology, vol. 5, no. 1, pp. 3-28, 1992. 




208 



2. C. H. Bennett, G. Brassard, C. Crepeau, and U. M. Maurer, “Generalized privacy 
amplification,” IEEE Transactions on Information Theory, vol. 41, pp. 1915-1923, 
Nov. 1995. 

3. C. H. Bennett, G. Brassard, and J.-M. Robert, “How to reduce your enemy’s 
information,” in Advances in Cryptology — CRYPTO ’85 (H. C. Williams, ed.), 
vol. 218 of Lecture Notes in Computer Science, pp. 468-476, Springer- Verlag, 1986. 

4. C. H. Bennett, G. Brassard, and J.-M. Robert, “Privacy amplification by public 
discussion,” SIAM Journal on Computing, vol. 17, pp. 210-229, Apr. 1988. 

5. G. Brassard and C. Crepeau, “25 years of quantum cryptography,” SIC ACT News, 
vol. 27, no. 3, pp. 13-24, 1996. 

6. G. Brassard and C Crepeau, “Oblivions transfers and privacy amplification.” Pro- 
ceedings of EUROCRYPT ’97, 1997. 

7. C. Cachin and U. Maurer, “Smoothing probability distributions and smooth en- 
tropy.” Preprint (abstract to appear in Proceedings of International Symposium 
on Information Theory, ISIT 97), 1997. 

8. J. L. Carter and M. N. Wegman, “Universal classes of hash functions,” Journal of 
Computer and System Sciences, vol. 18, pp. 143 154, 1979. 

9. T. M. Cover and J. A. Thomas, Elements of Information Theory. New York: Wiley, 
1991. 

10. C. Crepeau, “Efficient cryptographic protocols based on noisy channels.” Proceed- 
ings of EUROCRYPT ’97, 1997. 

11. J. Hastad, R. Impagliazzo, L. A. Levin, and M. Luby, “Construction of a pseudo- 
random generator from any one-way function,” Tech. Rep. 91-068, International 
Computer Science Institute (ICSI), Berkeley, 1991. 

12. R. Impagliazzo, L. A. Levin, and M. Luby, “Pseudo-random generation from one- 
way functions,” in Proc. 21st Annual ACM Symposium on Theory of Computing 
(STOC), pp. 12 24, 1989. 

13. M. Kharitonov, “Cryptographic hardness of distribution-specific learning,” in Proc. 
25th Annual ACM Symposium on Theory of Computing (STOC), pp. 372-381, 
1993, 

14. M. Luby, Pseudorandomness and Cryptographic Applications. Princeton University 
Press, 1996. 

15. M. Luby and A. Wigderson, “Pairwise independence and derandomization,” Tech. 
Rep. 95-035, International Computer Science Institute (ICSI), Berkeley, 1995. 

16. U. M, Maurer, “Secret key agreement by public discussion from common infor- 
mation,” IEEE Transactions on Information Theory, vol. 39, pp. 733-742, May 
1993. 

17. N. Nisan, “Extracting randomness: How and why — a survey,” in Proc. 11th An- 
nual IEEE Conferen.ee on Computational Complexity, 1996. 

18. A. Renyi, “On measures of entropy and information,” in Proc. 4lh Berkeley Sym- 
posmm on Mathematical Statistics and Probability, vol. 1, (Berkeley), pp. 547-561, 
Univ. of Calif. Press, 1961. 

19. .S. Vembu and S. Verdu, “Generating random bits from an arbitrary source: Funda- 
mental limits,” IEEE Transactions on Information Theory, vol. 41, pp. 1322-1332, 
Sept. 1995. 

20. D. Zuckerman, “Simulating BPP using a general weak random source,” Algorith- 
mica, vol. 16, pp. 367-391, 1996. Preliminary version presented at 32nd FOGS 
(1991). 




Information-Theoretically Secure Secret-Key 
Agreement by NOT Authenticated 
Public Discussion^ 



Ueli Maurer 

Department of Computer Science 
ETH Zurich 

CH-8092 Zurich, Switzerland 
maurerQinf . ethz . ch 



Abstract. All information- theoretically secure key agreement protocols 
(e.g. based on quantum cryptography or on noisy channels) described in 
the literature are secure only against passive adversaries in the sense that 
they assume the existence of an authenticated public channel. The goal 
of this paper is to investigate information-theoretic security even against 
active adversaries with complete control over the communication channel 
connecting the two parties who want to agree on a secret key. Several 
impossibility results are proved and some scenarios are characterized in 
which secret-key agreement secure against active adversaries is possible. 
In particulcir, when each of the parties, including the adversary, can ob- 
serve a sequence of random variables that are correlated between the 
parties, the rate at which key agreement against active adversaries is 
possible is characterized completely: it is either 0 or equal to the rate 
achievable against passive adversaries, and the condition for distinguish- 
ing between the two cases is given. 



1 Introduction 

One of the fundamental problems in cryptography is the generation of a shared 
secret key by two parties, Alice and Bob, not sharing a secret key initially, in the 
presence of an adversary Eve who has access to the communication channel con- 
necting Alice and Bob. Several scenarios, which differ in their assumptions about 
Eve’s capabilities and possibly about the intractability of certain computational 
problems, have been considered in the literature. 

Public-key cryptography introduced by Diffie and Heilman [9] (see also [20]) 
solves this problem under the two assumptions that 

(1) Eve is unable to solve a certain computational problem (such as factoring 
integers or computing discrete logarithms in a certain finite group) in feasible 
time, and 

^ This work is supported in pEirt by the Swiss National Science Foundation, grant no. 
20-42105.94. 



W. Fumy (Ed.): Advances in Cryptology - EUROCRYPT ’97, LNCS 1233, pp. 209-225, 1997. 
© Springer-Verlag Berlin Heidelberg 1997 




210 



(2) that Eve has only passive (read) access to the communication channel be- 
tween Alice and Bob, i.e., that the communication between Alice and Bob 
is authenticated. 

The purpose of this paper is to investigate the described key distribution prob- 
lem when neither of these assumptions is made: We consider adversaries with 
infinite computing power and complete control over the communication channel 
connecting Alice and Bob. Several impossibility results are proved and some sce- 
narios in which secret-key agreement secure against active adversaries is possible 
are characterized. Secret-key agreement can be possible in this scenario only if 
Alice and Dob (but possibly also Eve) have correlated information. More for- 
mally, while Alice and Bob share no secret key initially, they know some random 
variables X and Y , respectively, jointly distributed with a random variable Z 
known to Eve. The joint probability distribution is denoted PxYZ- 

One can have different opinions about whether it is reasonable to assume 
that a specific computational problem is difficult. Furthermore, since quantum 
computation has been invented as a (at least for now) theoretical model of com- 
putation, it is not completely clear whether intractability assumptions in the 
Turing machine model of computation are still adequate. There also exist dif- 
ferent opinions about whether certain methods of authentication, like speaker 
identification on a voice channel, are strong enough to support the second as- 
sumption above. It is not a goal of this paper to discuss these issues, but we 
believe that avoiding both assumptions is an interesting research topic. 

There exists a substantial body of results on secret-key agreement by public 
discussion secure against adversaries with infinite computing power (see Sec- 
tion 2.3 for a brief summary), but they all depend in a crucial manner on the as- 
sumption that eavesdroppers are passive and hence the communication between 
Alice and Bob can be assumed to be authenticated. Of course, as is pointed out 
in these papers, the authenticity can be guaranteed, even when the channel is 
completely insecure, when Alice and Bob initially share a secret key that is used 
for authentication purposes (see Section 2.2). Hence these results can be inter- 
preted as providing information-theoretically secure protocols for expanding a 
short initially shared secret key to an arbitrarily long secret key. 

This paper characterizes scenarios in which secret-key agreement against ac- 
tive adversaries is possible and shows that for an important class of scenarios of 
correlated random variables available to Alice, Bob and Eve, active adversaries 
are not more powerful than passive ones. 

2 Key-agreement protocols 

2.1 Scenarios and definitions 

We now formalize key-agreement protocols; the security of such protocols will 
be defined later. 




211 



Definition 1. A key-agreement protocol consists of three phases: 

— a (possibly missing) initialization phase^ in which Alice, Bob and an ad- 
versary Eve receive random variables X, Y and Z, respectively, which are 
jointly distributed according to some probability distribution PxYZ- 

— During the communication phase Alice and Bob alternate sending each other 
messages Ci , C2 , . . . where we assume that Alice sends messages Ci , C3 , Cs , . . . 
and Bob sends messages C2, C4, Ce, ■ • - Each message depends possibly on 
the sender’s entire view of the protocol at the time it is sent and possibly on 
privately generated random bits. Let t be the total number of messages and 
let C* = [Cl , • • • , Cl] denote the set of exchanged messages. 

— Finally, Alice and Bob each either accepts or rejects the protocol execution, 
depending on whether they believe to be able to generate a secret key. If 
Alice accepts, she generates a key S depending on her view of the protocol. 
Similarly, if Bob accepts, he generates a key S' depending on his view of the 
protocol. 

In general, the channel connecting Alice and Bob is completely insecure, i.e. 
Eve can see every message C, and replace it by an arbitrary message C, of her 
choice. She need not keep Alice and Bob synchronized and she can impersonate 
either party by fraudulently initiating a protocol execution. 

For stating impossibility results in the strongest possible form, we also con- 
sider protocols in which certain messages can be sent in a secret or authenticated 
manner (by appropriate means not specified by the protocol) . 

Definition 2. If a message C, is secret (by the protocol specification), Eve learns 
nothing about it except that it exists^ . However, she may replace such a message 
by a different message. If a message Ci is authenticated (by the protocol specifica- 
tion), then the receiver will always (with probability 1) detect any modification 
to the message due to Eve, but Eve sees the message. 

Considering a passive adversary is equivalent to assuming the entire com- 
munication to be authenticated. The above definition can be made information- 
theoretically precise. 

If two parties share a secret key, they can use the one-time pad encryption to 
transmit a message in perfect secrecy over a completely insecure channel. They 
can also use part of the secret key for authenticating messages (see Section 2.2). 

^ The initialization phase summarizes the parties’ entire initial information, for in- 
stance the history of previous executions of protocols, the information resulting from 
quantum transmissions (like in quantum cryptography [2]), or information received 
from other sources like a satellite broadcasting random bits (see Section 4.3) or the 
signal of a deep-space radio source. When the initialization phase is missing, this 
means that Alice’s and Bob’s complete knowledge at the beginning of the protocol 
is assumed to be statistically independent. 

^ It is possible that she later obtains information about Ci because subsequent mes- 
sages depend on Ci, but Eve never learns anything about Ci not provided by subse- 
quent messages. This will be formalized in the full paper. 




212 



However, in contrast to perfect secrecy, perfect authenticity cannot be achieved 
even if a secret key of arbitrary fixed size is used because an adversary can 
always guess the key with non-zero probability of success. Authenticity and 
confidentiality are dual security properties, and the duality can be shown in 
various ways (e.g., see [16]). 

All the protocol steps proposed in this paper are polynomial-time com- 
putable, but there may generally be steps in subprotocols taken from the lit- 
erature that are not known to be computable in polynomial time. However, for 
every protocol resulting in Alice and Bob sharing a secret key mentioned here, 
there also exist efficient protocols for generating a secret key (which may be 
somewhat shorter). 

In general, the distribution Pxyz may be under Eve’s partial control and 
may only partly be known to Alice and Bob. Two examples are the privacy 
amplification scenario [3] mentioned in Section 2.3, and quantum cryptography, 
where both Bob’s and Eve’s distributions depend on the type of measurement 
performed by Eve on the photons sent by Alice. In this paper we assume that 
Pxyz is known to all parties. 

In the sequel we assume without loss of generality that S and S' are binary 
strings of length [S'! = |5'| = k. Clearly, the goal of a protocol is that S and S' 
agree with very high probability and that Eve has very little information about 
S. An adversary can of course block the communication between Alice and Bob 
completely by replacing all messages by empty messages, thus preventing any 
secret-key agreement. The goal of the design of a protocol can thus only be 
to generate a (hopefully large amount of) secret key when Eve is passive, but 
to detect any tampering with very high probability. However, even when Eve’s 
strategy is active, it is allowed that she goes undetected if the secret key shared 
by Alice and Bob at the end of the protocol nevertheless is secret. In other 
words, Alice and Bob should not primarily be interested in catching an active 
cheater but in making sure that whenever they believe (or at least one of them 
believes) to have agreed on a secret key, then this is indeed the case with very 
high probability. 

Definition 3. A key-agreement protocol with |5| = kis (e, S)-secure if, for every 
passive eavesdropping strategy, 

P[S 7^ 5'j < e, 

/(.S;C"Z)<e, 
and H(S)>k-e, 

and if for every active adverse strategy, with probability at least 1—5, either 
Eve is caught by at least Alice or Bob (i.e. they do not both accept) or they 
successfully generate a secret key S (and S') satisfying the above conditions. 

Note that one cannot require both Alice and Bob to reject. Eve could delete 
the last message from Alice to Bob (or vice versa) that would make Bob accept 
after Alice has accepted. (Byzantine agreement is impossible between two players 
in the presence of an active adversary.) 




213 



Here H{S) denotes the entropy® of S and I{S\C*'Z) = H{S) - H{S\C^Z) 
denotes the information about 5 given by Eve’s total observation (consisting 
of and Z). The condition H{S) > k — e implies that S is virtually uni- 
formly distributed and together with the condition I{S\C^Z) < e it implies 
H{S\C^Z) > k - 2t and hence that S is also virtually uniformly distributed 
from Eve’s point of view, i.e., given Eve’s total information. Such a uniformity 
constraint could alternatively be defined in terms of any reasonable constraint on 
the deviation of a distribution from the uniform distribution, without changing 
the results of this paper. 



2.2 Unconditionally secure message authentication 

Adversaries with complete control over the communication channel have previ- 
ously been considered in message authentication scenarios where, unlike in this 
paper, a secret key is shared initially by Alice and Bob about which Eve is 
assumed to have no information a priori. 

Unconditionally secure message authentication based on a shared secret key 
was first considered in [11] and later in a large number of papers (e.g. [22], [23]). 
One of the most recent papers on this topic is by Gemmell and Naor [10] who 
proved the surprising result that interactive protocols for authenticating an n- 
bit message are more efficient in terms of the length of the secret key required 
to restrict an adversary’s cheating probability to at most p. In particular, they 
proposed a one-round protocol using only logn — 21ogp bits of secret key and 
showed that this can be reduced to log**^ n - Slog p in a fc-round protocol. We 
will make use of these results. 



2.3 Review of the literature 

In this section some of the results on secret-key agreement by perfectly authen- 
ticated public discussion are reviewed. Shannon’s [21] famous result on perfect 
secrecy, stating that a cipher can achieve perfect secrecy only if the entropy of the 
secret key is at least as large as the entropy of the plaintext, can be considered 
as a special case (for 1-round protocols) of Theorem 1 below. Although Wyner’s 
wire-tap channel scenario [25] and Csiszar and Korner’s generalization [8] thereof 
do not include a public channel between Alice and Bob, they should neverthe- 
less be mentioned here. In those scenarios, Alice can send information over a 
so-called broadcast channel where Bob and Eve can receive different outputs of 
the channel. Secret information transmission (and hence secret-key agreement) 
was shown to be possible if and only if Eve’s channel is noisier than Bob’s chan- 
nel [8], an assumption that is generally unrealistic. 

In the scenario considered in quantum cryptography (see [2] and references 
therein), Alice can send polarized light pulses of very low intensity to Bob over 

® H{S) = — p^^^).^QPs{s)\og 2 Ps{s). See [6] for an introduction to the basic con- 

cepts of information theory. 




214 



some channel (e.g. an optical fiber) controlled by Eve. The use of this quan- 
tum communication results in Alice, Bob, and Eve possessing correlated strings. 
By subsequent discussion over the authenticated public channel, Alice and Bob 
manage to generate a secret key about which Eve has arbitrarily little informa- 
tion. 

Another special case of key agreement protocols secure against passive ad- 
versaries is privacy amplification introduced in [4] and generalized in [3]. Privacy 
amplification is a protocol step that would typically be used as the last step in a 
practical key agreement protocol, but it can itself be described in the framework 
of key agreement protocols. Here Alice and Bob are assumed to know a string 
W (i.e. X — V — W) about which Eve has some partial information. The proto- 
col of [3] is secure even when Eve specifies an arbitrary probability distribution 
Pzw unknown to Alice and Bob, subject to the only constraint that a bound 
on the second order Renyi entropy of W, given Eve particular value z of Z, 
is known to Alice and Bob. In the privacy amplification literature only passive 
adversaries have been considered. It is proved in [19] that privacy amplification 
secure against active adversaries is possible when the adversary’s min-entropy 
about the string is more than half its length. 



3 The case of no common initial information 

In this section we characterize to what extent secret and/or authenticated com- 
munication between Alice and Bob can help them to agree on a secret key. 
These results demonstrate an interesting difference between computational and 
information-theoretic cryptography. In both models a secret channel from Alice 
to Bob can be transformed into an authenticated channel from Bob to Alice. 
This is achieved by Alice sending a secret key to Bob and Bob using the key in a 
message authentication techniques (see Section 2.2) for authenticating a message 
to be sent to Alice. 

In sharp contrast, only the computational model allows to transform an au- 
thenticated channel from Alice to Bob into a secret channel from Bob to Alice. 
This is achieved by Alice sending her public key for a public-key cryptosystem 
to Bob who uses it to encrypt the message to be sent secretly to Alice. The secu- 
rity of public-key cryptosystems is inherently bound to be computational rather 
than information-theoretic. (Actually, this follows from Theorem 1 below.) See 
also [16] for a discussion of the described and other security transformations. It 
is hence not surprising that in the information-theoretic model, when Alice and 
Bob have no common information initially, authenticated channels are of no use, 
in contrast to secret channels. 

Theorem 1. Consider key agreement protocols without initialization phase which 
allow some of the exchanged messages to be either secret or authenticated. For 
e < 1 — 3/(|5| -I- 2) there exists no such protocol that is {e,5)-secure, even when 
all messages are authenticated ( or, equivalently, when Eve is passive.) Moreover, 
even if all messages from Alice to Bob are secret and all messages from Bob to 




215 



Alice are authenticated, there exists no such protocol that is (e,S) -secure against 
active adversaries for any <5 < 1 . 

Proof. To prove the first part we make use of Theorem 1 of [14] which implies 
that 

H(S) <H(S\S') + IiS-,C*) (1) 

for all such protocols. Note that the random variables X, Y do not exist in our 
context and hence I{X;Y) = 0 in Theorem 1 of [14] . Fano’s Lemma (see [6]) 
states that the error probability p of guessing a random variable U when given 
a correlated random variable U' satisfies 

/7([/|C/') < h(p) +plog2(|ZY| - 1), 

where U is the set of possible values that U can take on"*. Therefore the condition 
P[5 7 ^ S"] < e implies 

H{S\S') < h{e) + ek 

which together with inequality (1) and the second and third conditions of Defi- 
nition 3 gives 

k - e < H{S) < h{e) -i- ek + e. 

Using h{e) < 1, this implies A: — 1 < e{k -f 2) and hence £ > 1 — 3/(fc 4- 2). 

To prove the second part, notice that from Bob’s point of view, Alice has 
no advantage compared to Eve. When Eve performs the same protocol as Alice 
would, pretenting to be Alice, Bob accepts with the same probability sis he would 
accept a protocol execution with Alice which according to the definition is 1. □ 

Note again that the first statement of the theorem is in sharp contrast to the 
public-key cryptographic scenario where, under a suitable intractability assump- 
tion, secret-key agreement secure against computationally bounded adversaries 
is possible when a single authenticated message in each direction can be sent. A 
public-key cryptosystem can be interpreted [16] as a means for transforming an 
authenticated channel into a secret channel in the other direction. The following 
well-known result is an observation following from Theorem 1. 

Corollary 2. A public-key cryptosystem can be computationally secure but not 
information-theoretically (i.e. unconditionally) secure. 

Theorem 3. Assume that one secret (but not necessarily authenticated) mes- 
sage can be sent from Alice to Bob. Then, for any S > 0, key agreement (0,<5)- 
secure against active adversaries is possible if, in addition, either an authenti- 
cated message can be sent from Alice to Bob or a secret message can be sent 
from Bob to Alice. 

* h(p) = —p\og 2 P — (1 — p)log 2 (l — p) denotes the binary entropy function which 
measures the entropy of a binary random variable that takes on the two values with 
probabilities p and 1 — p. 




216 



Proof. Note that when the same message from Alice to Bob is both secret and 
authenticated, then Alice can simply send a secret key as the message. When two 
messages can be sent from Alice to Bob, one secret and one authenticated, then 
Alice can send a random n-bit string R to Bob (n > —2 log 2 S) over the secret 
channel and the description of a function / in a universal class hash functions 
from {0,l}”to{0,l}"[7] over the authenticated channel, together with the first 
n/2 bits of f{R). The other half of f{R) is kept by Alice and Bob as their secret 
key. If Eve’s capability to interfere with the secret channel is limited to sending 
fraudulent messages {but she is assumed to be unable to modify a message sent 
from Alice to Bob), then no universal hash function is needed; it could instead 
be replaced by the identity function. 

The proof for the case of a secret channel from Bob to Alice is based on the 
following protocol. Bob (secretly) sends Alice a random string U of sufficient 
length (i?(log(i)). Then they use the above protocol where the authenticated 
channel is obtained by Alice by using an authentication scheme [10] using R as 
the secret key. □ 

Theorem 1 is pessimistic; it demonstrates that information-theoretically se- 
cure secret-key agreement against active or passive adversaries is impossible to 
achieve when the channel between Alice and Bob is completely insecure. How- 
ever, if Alice and Bob have correlated information initially (not necessarily a 
secret key, but possibly only two bitstrings that are somehow correlated), about 
which also Eve has partial knowledge, then secret-key agreement can be possible. 

In the following we consider such scenarios. One of our general goals is to 
achieve secret-key agreement under mild conditions on such an initialization 
phase, for instance conditions that can be argued to occur (or can be made to 
occur) in a realistic communications scenario. 

4 Protocols with initialization phase 

4.1 Impossibility results 

The following theorem on authenticated public discussion follows from Corol- 
lary 1 in [14]. Recall from Section 2 that X, Y, and Z are the random variables 
obtained by Alice, Bob, and Eve, respectively, during the initialization phase. 

Theorem 4. For every probability distribution PxYZ, a key agreement protocol 
that is (e,S} -secure against passive (or active) adversaries satisfies 

H{S) < mm[I{X-,Y),I{X-,Y\Z)]Fh{e) + t{k + l). 

In particular, for e = 0, we have H{S) < mm[I{X\Y),I{X-,Y\Z)\. 

Note that by definition, I{X-,Y) = H{X) - H{X\Y) and I{X-,Y\Z) = 
H{X\Z)~H{X\YZ) and that l\X\ Y\Z) > l\x- Y) is possible. It will be demon- 
strated In the following section that this theorem is not as pessimistic as it looks 
at first sight. 




217 



Theorem 4 states that secret-key agreement is possible and only if V gives 
a substantial amount of information about X, both when Z is given or when it 
is not. In other words, X and Y must be correlated, and this correlation must 
to some extent be independent of Z. The bound min[/(X; y), /(X; yjZ)] can 
be replaced by the stronger bound derived in [18], called the intrinsic mutual 
information between X and Y given Z. It is the minimum of I{X-,Y\Z') over 
conditional probability distributions Pz'\z- 

Definition 4. We call the distribution Pxyz X -simulatable by Eve if Eve can 
generate from Z a random variable X such that the pairs [X, Y] and [X,y] have 
the same distribution, i.e. if there exists a conditional probability distribution 
Px\z such that 

Pxri^^y) = PxY{x,y) 

for all X and y, where is the marginal distribution of Pxxyz ~ Pxyz- Px\z^ 
i.e., 

Pjcvi^^y) = Y^Y^PxYz(x',y,z) ■ Pxizi^,z). 

x’ z 

Similarly, the distribution Pxyz is called Y -simulatable by Eve if the symmetric 
condition with respect to Bob, with X replaced by Y and X replaced by Y, is 
satisfied. 

More intuitively, Pxyz is X-simulatable by Eve if she can send Z through 
a (simulated) channel (characterized by Px\z) whose output X htis the same 
joint distribution with y as X. (An example of such a distribution is given 
in Section 4.3.) Therefore, when Pxyz is X-simulatable by Eve, then there is 
no way Bob can distinguish between a correct message sent by Alice and an 
appropriately generated fraudulent message sent by Eve. Similarly, when Pxyz 
is y-simulatable by Eve, then there is no way Alice can distinguish between a 
correct message sent by Bob or a fraudulent message sent by Eve. We obtain the 
following generalization of Theorem 1. 

Theorem 5. When Pxyz is X-simulatable (or Y -simulatable) by Eve, then no 
key agreement protocol can be {e,S) -secure against active adversaries for any e 
and (5 < 1, even if all messages from Alice to Bob (Bob to Alice) are perfectly 
secret and all messages from Bob to Alice (Alice to Bob) are authenticated. 



4.2 Independent repetition of a random experiment 

In order to be able to derive interesting results on secret-key agreement against 
active or passive adversaries, we must consider specific types of probability dis- 
tributions of the random variables given to Alice, Bob, and Eve. 

One natural assumption is that the random experiment generating the triple 
[X, y, Z] is repeated many times independently. Hence we assume that Alice, 
Bob and Eve receive strings X" = [Xi, . . . , X„], y" = [yi, . . . , y,], and Z" = 




218 



[Zi, . . . , Z„], respectively, where 



Px’'Y’'Z’>{Xl,. . = Y[PxYZi.Xi,yi, Zi). 

1=1 

Note that we have changed the notation here and for the rest of the paper: 
PxYZ now denotes the distribution of one of several random experiments while 
it previously denoted the distribution of the overall experiment. 

This particular scenario is motivated by the well-known models for discrete 
memoryless sources and channels of communication theory. Many concrete prac- 
tical scenarios can be modeled in this way, for instance the one discussed below 
in which Alice, Bob, and Eve receive noisy versions of a random string broadcast 
by a satellite or of the signal emitted by a deep space radio source. 

For such a scenario of independent repetitions of a random experiment, the 
quantity that is of most interest is the maximal rate at which Alice and Bob 
can generate secret key bits, where rate is to be understood per execution of the 
random experiment generating a triple [X,Y,Z]. 

Definition 5. The secret key rate of Pxyz for passive adversaries, denoted 
S{PxYz), is the maximum rate at which Alice and Bob can agree on a secret 
key S while keeping a passive adversary’s information about S arbitrarily small. 
More formally, it is the maximal R such that for all e > 0, for all R' < R, and for 
ail sufficiently large n there exists a protocol with |5| = [R'n\ that is (e, 0)-secure 
against passive adversaries®. The secret key rate of Pxyz for active adversaries, 
denoted S*(Pxyz), is defined in the same way, except that the adversary is 
allowed to be active, and for any given (5 > 0, (e, <5)-security is required instead 
of (e, 0)-security. 

The first part of this definition is given in [15] as a considerably strengthened 
definition of that given in [14] , and the second part is new. In particular, in [14] it 
was only required that the rate at which Eve obtains information, I{S-, C^Z'^)jn 
be arbitrarily small for large n, and proving results for the much stronger def- 
inition involves some technical steps, including privacy amplification [3]. The 
following result was proved in [15] (and in [14] using the weaker definition). 

Theorem 6. S{Pxyz) w lower and upper bounded by 

max[0, I{Y-,X)-I{Z-,X), I{X-,Y)-I{Z-,Y)] < S{Pxyz) 



and 

S(PxYz) < mm[I{X;Y), I{X-,Y\Z)]. 

The lower bound is not tight in general. In particular, for the binary scenario 
discussed in Section 4.3, if Eve’s channels is less noisy than both Alice’s and 
Bob’s channel, the lower bound vanishes while the secret-key rate is actually 
strictly positive. 

For the case of passive adversaries, 5 = 0 can trivially be achieved. 



5 




219 



We are primarily interested in investigating the relation between S{Pxyz) 
and S*{PxYz), i-e., the power of authenticated versus non-authenticated com- 
munication. Quite surprisingly, it turns out that S*{Pxyz) = 0 or S*{Pxyz) — 
S{PxYz)- However, before treating the general case, we consider the case of 
binary symmetric random variables which is of particular interest. 

4.3 The binary case 

In this section we consider the natural special case where the random variables 
known to Alice, Bob and Eve are noisy versions of a random string (e.g. broadcast 
by a satellite) received over binary symmetric channels Ca, Cb and Ce with bit 
error probabilities ca, cb and ce, respectively (see Figure 1). Without loss of 
generality we assume that these channels are independent because any scenario 
of dependent channels can be transformed [14] into an equivalent scenario of 
independent channels (with different bit error probabilities). In other words, 
when U denotes the random bit generated by the source (Pr/(0) = i^o(l) = 1/2), 
we have 

PxYz\u = Px\u ■ Py\u • Pz\u 

where Px\ui^, r) = 1 - ex if x = u and ex else, PY\u{y,r) = 1 - ts if y = u and 
£b else and Pz\u{z,r) — 1 - €e if z = u and ce else. 







Fig. 1. The scenario of three independent channels 

It is easy to verify that Pxyz is A'-simulatable by Eve if and only if eg < 
€x and it is F-simulatable by Eve if and only if ce < Cb- Such a simulation 
can be achieved by Eve by sending Z through an additional (simulated) binary 
symmetric channel of appropriate bit error probability. Therefore, when either 
CE < Cb or Ce < £a in the described scenario, then S*{Pxyz) = 0 by Theorem 5. 







220 



Let 

f-AB — - ^A^B 

be the bit error probability between corresponding bits of Alice’s and Bob’s 
strings, and let similarly 



^AE = M + ej5 — ^A^B 



and 

^BE = + ^E — CB^E 

be the bit error probabilities between corresponding bits of Alice’s and Eve’s 
and between Bob’s and Eve’s strings, respectively. 

Assuming that Alice and Bob share no secret key initially, authentication for 
messages transmitted from Alice to Bob can nevertheless be achieved when Eve’s 
channel is noisier than Alice’s channel > e. 4 ). This implies that cbe > ^aBi 
i.e. that Alice’s bits agree with Bob’s bits with higher probability than Eve’s 
bits agree with Bob’s bits. 

To demonstrate this fact, consider the following (very wasteful) authenti- 
cation method.® A more efficient scheme will be considered below. In order to 
authenticate a single bit (fc = 1) sent from Alice to Bob, Alice appends a sub- 
string of of length 1. The two substrings of X” appended to authenticate 
a 0 or a 1 are disjoint. For instance, a 0 or a 1 is authenticated by appending 
(for some q) the string [X,, . . . ,Xj+j_i] or [X^+m, ■ • ■,Xq+ 2 i-i], respectively, as 
the authenticator, and these m = 21 bits of X'^ are never used again for any 
other purpose. Bob expects to receive as an authenticator either a version of 
[E,,... , or of [Yq+m, ■ • • , Yq+ 2 i-i\ with a fraction of close to tAB bit er- 

rors. Informally, Bob hence accepts the received bit if and only if the fraction 
of bits in the authenticator that agree with his noisy version of the authentica- 
tor ([E,, . . . , E,+;_i] or \Yq+m, • ■ • , E,+ 2 J-i]) is not much smaller than 1 - 
It is easy to see that for any fixed ess > ^ab, the probability that Eve can 
successfully deceive Bob is exponentially small in 1. 

The described scheme is quite inefficient in terms of the number of bits used 
from the sequence. A much better approach is described in the proof of the 
following theorem. 

Theorem 7. When cbe > ^ab in the described binary scenario, a k-bit message 
sent from Alice to Bob can be authenticated by an I -bit authenticator with I = 2k 
using m = 4fc bits of the random string X'^ and achieving an arbitrarily small 
deception probability for sufficiently large k. 

Proof sketch. A scheme for authenticating a A:-bit message sent from Alice to 
Bob using m bits of X’^ (e.g. [X,, . . . ,X,+m-i] for some q) can be derived as 
follows. Every message is authenticated by appending a particular subset of bits 
in [Xq, . . . ,X,+m_i]. These subsets should be sufficiently disjoint to avoid that 

® In the following we consider schemes for authenticating a fc-bit message by an Z-bit 
authenticator using m > I bits of the common sequence. 




221 



such an authenticator can be guessed by Eve from an observed one. Bob checks 
whether his version of the authenticator (i.e. his subset of [y,, . . . , yg+m-i]) 
agrees with the received authenticator on a fraction roughly 1 - cab of the bits, 
as expected when Alice sends the authenticator. Security requires that given 
one of these sets, it should be impossible for Eve to approximate a different 
authenticator of Alice with a bit error fraction close to cab- 

When Eve has intercepted a message together with its authenticator, her 
best strategy for creating an authenticator for a different message (hoping that 
it will be accepted by Bob) is to copy those bits from the received authenticator 
that are also contained in the new authenticator and to take as guesses for 
the remaining bits her copies of the bits (in [Zg,.. ZgAm-i]}, introducing bit 
errors in those bits with probability cbb- The maximal probability of successful 
deception is hence determined by the number d of bits that Eve must guess and 
the total number I of bits in the forged authenticator. 

The expected value and the standard deviation of the number of bits in the 
correct autenticator that agree with Bob’s corresponding bits are 



H — 1{1 — €ab) 



and 

'7' = \/^€aB(l - cas), 



respectively. When Eve tries to deceive Bob, the expected value and the standard 
deviation of the fraction of bits in the forged autenticator that agree with Bob’s 
corresponding bits are 

// = {I - d)eAB + d^BE 



and 

<7' = \/(l - d)eAn(l - (ab) + dessi^ ~ ^bb), 



respectively. Bob accepts an authenticator if and only if the number of his bits 
that agree with the corresponding authenticator bits is within q standard devia- 
tions of p, where 5 is a security parameter that grows with /. The difference be- 
tween the two expected values is desE amd the standard deviation is cr = 

When d grows substantially faster than \/l one can let q = Q{dj\/V). The law 
of large numbers implies that Eve’s cheating probability decreases exponentially 
in q. 

We now investigate how this can be achieved. An appropriate set of such 
subsets of bit positions (i.e., subsets of {1, . . . ,m}) can be interpreted as a code: 
each subset corresponds to a codeword of length m, where a 1 (or a 0) indicates 
that the bit at the corresponding position is (is not) contained in the subset. The 
weight of a codeword is equal to the length of the corresponding authenticator. 

The desired distance property of the code differs from the Hamming dis- 
tance considered in the theory of error-correcting codes. Instead, we define the 
0-1 distance from a codeword ci to a codeword C2, denoted d(ci — t C2), as the 
number of bits that Eve must guess when trying to convert the authenticator 
corresponding to ci into the authenticator corresponding to C2- The distance 
d(ci ->C2) is hence defined as the number of transitions from 0 to 1 when going 




222 



from Cl to C 2 , hence not counting the transitions from 1 to 0. Note that this 
distance is not symmetric, i.e. d{c\ -> 02 ) d(c 2 -tci) in general. It is required 
that the 0 — 1 distance from any codeword to any other codeword be large, say 
at least d. A conventional linear code cannot be used because the 0 — 1 distance 
from any codeword to the zero-codeword is zero. 

We now give a simple construction of codes that are good with respect to this 
distance measure. One can convert any code of length / and minimum distance 
d into a (non-linear) code of length tn = 2l and minimum 0-1 distance d, where 
each codeword has weight 1. This is achieved by replacing every bit in the original 
code by pair of bits, namely by replacing 0 by 01 and 1 by 10. 

In the context of this proof, a possible code to be used for the construction 
is an extended Reed-Solomon code over a finite field GF(2^) [5]. For any K 
there exists such a code encoding K information digits into codewords of length 
N = 2’^ and with minimum distance iV — iF -f 1. By interpreting elements of 
GF{2’') as binary substrings of length r, we obtain a binary code with 2'’^ 
codewords of length 2rN and with minimum 0 — 1 distance at least d. 

By taking r as a security parameter and letting N = 2^, K = N/2 and 
k — rK we obtain I = 2k = rN and m = 21 = 2rN. This is sufficient to 
complete the proof. □ 

By symmetry, the same technique can be used to authenticate messages sent 
from Bob to Alice, provided that eg > cb- This theorem shows that the rate at 
which random bits are needed for authentication is a constant factor times the 
bit rate at which Alice sends messages to Bob. Therefore, the secret key rate of 
PxYZ for active adversaries is a constant (< 1) times the secret key rate of Pxyz 
for passive adversaries. In the proof of the following theorem we need to show 
that the number of bits needed for authentication is asymptotically negligible 
compared to the number of bits needed for secret-key agreement (in the passive 
case) . 

Theorem 8. When both (e > €b and ce > (a in the described scenario, then 
S*{PxYz) = S{PxYz), i-a., an active adversary is not more powerful than a 
passive adversary. Otherwise, if either ce > e/? or ce > ca, then S*{Pxyz) = 0. 

Proof. The fact that 5* {Pxyz) = 0 when either eg < eg or e^; < ca follows from 
Theorem 5 because Pxyz is either AT-simulatable or F-simulatable by Eve. The 
fact that S*{PxYz) = S{Pxyz) when eg > eg and ce > ca can be proved as 
follows. A suboptimal protocol based on the authentication method of Theorem 7 
can be used to generate a relatively small f-bit secret key K, using 0{t) bits 
of the random string. This key can then be used, similar to a bootstrapping 
process, for instance based on the protocols of [10], to authenticate the messages 
exchanged in an optimal passive-adversary protocol V achieving S{Pxyz)- The 
size of K must only be logarithmic in the maximal size of a message exchanged 
in V [10] and linear in the number of rounds of V. No matter what amount of 
secret key must be generated by V, this can be achieved by using messages of 
size proportional to the key size in a constant number of rounds. Therefore, the 
ratio of size of K and the size of the generated key vanishes asymptotically. □ 




223 



It is known from [14] that 

min[h(eyi£;), /i(eBB)] - h(cAB) < S{Pxyz) < 1 - h(exjs)- 

It was recently proved that S{Pxyz) > 0 unless eg = 0 [17], even when both 
Cje; < CB and tE < €/i, i-e., even when the above lower bound vanishes (or is 
negative). 



4.4 A completeness result for the general case 

Let PxYZ be an arbitrary probability distribution of a random experiment that 
is repeated many times. In general, only lower and upper bounds on S{Pxyz) 
are known and S{Pxyz) is known exactly only for special cases. The following 
theorem characterizes S*{Pxyz) completely in terms of Pxyz and S{Pxyz) 
and characterizes the power of active adversaries in comparison to passive ones 
for the described noisy-channel initialization scenario. Determining the exact 
power of a passive adversary remains an open problem. 

Theorem 9. When Pxyz either X -simulatable or Y -simulatahle by Eve, 
then S*{PxYz) = 0. Otherwise, S*(PxYz) = S{Pxyz)- 

Proof sketch. The proof of this theorem relies on the theory of typical sequences^ 
and is similar to the proof of Theorem 8, which is a special case of this theorem, 
but the technical details are omitted from this extended abstract. In order to 
authenticate a fc-bit message by an 1 = 2fc-bit authenticator using m = Ak 
bits of X" (or of F" when Bob is the sender), the described approach based 
on error correcting codes can be used to select the positions of a subsequence 
[Xii , . . . , XjJ of X”. The receiver accepts the message if and only if the sequence 
of pairs [(Xjj , Fj ), . , . , (X;, , F , )] is 7-typical for the distribution Pxy for some 
suitable small 7. One can prove that for every distribution Pxyz that is neither 
X-simulatable nor F-simulatable by Eve, there exists a positive 7 such that 
for sufficiently large k Eve’s cheating probability is arbitrarily small. The same 
argument as in the proof of Theorem 8 can be used to prove that the ratio of 
bits needed for authentication and of bits used for secret-key agreement vanishes 
asymptotically. □ 



Acknowledgement 

I would like to thank Christian Cachin and Stefan Wolf for interesting discussions 
and helpful comments. 

Loosely speaking, a sequence U\,. . . ,Ur of digits of an alphabet U is 7- typical for a 
given distribution Pu over Li if for every u G li the fraction of occurrences of u in 
Ui, . . . ,Ur deviates by at most 7 from Pu{u) (see for instance [6]). 




224 



References 

1. R. Ahlswede and I. Csiszar, Common Randomness in information theory and 
cryptography - part I; secret sharing, IEEE Transactions on Information Theory, 
Vol. IT-39, 1993, pp. 1121-1132. 

2. C. H. Bennett, F. Bessette, G. Brassard, L. Salvail and J. Smolin, “Experimental 
quantum cryptography”. Journal of Cryptology, Vol. 5, no. 1, 1992, pp. 3-28. 

3. C.H. Bennett, G. Brasseird, C. Crepeau, and U.M. Maurer, “Generalized privacy 
amplification”, to appear in IEEE Transactions on Information Theory, Nov. 1995. 

4. C.H. Bennett, G. Brassard and J.-M. Robert, “Privacy amplification by public 
discussion”, SIAM Journal on Computing, Vol. 17, no. 2, April 1988, pp. 210-229. 

5. R. E. Bleihut, Theory and Practice of Error Control Codes, Reading, M A: Addison- 
Wesley, 1983. 

6. R. E. Blahut, Principles and Practice of Information Theory, Reading, MA: 
Addison- Wesley, 1987. 

7. J. L. Carter and M. N. Wegman, “Universal classes of hash functions”, Journal of 
Computer and System Sciences, Vol. 18, 1979, pp. 143-154. 

8. I. Csiszar and J. Kdrner, “Broadcast channels with confidential messages”, IEEE 
Transactions on Information Theory, Vol. IT-24, no. 3, 1978, pp. 339-348. 

9. W. Diffie and M. E. Heilman, “New directions in cryptography”, IEEE Transac- 
tions on Information Theory, Vol. IT-22, 1976, pp. 644-654. 

10. P. Gemmell and M. Naor, Codes for interactive authentication Advances in Cryp- 
tology — Proceedings of Crypto ’93, Lecture Notes in Computer Science, Vol. 773, 
Springer-Verlag, Berlin, 1994, pp. 355-367. 

11. E. N. Gilbert, F. J. MacWilliams, and N. J. A. Sloane, Codes which detect decep- 
tion, Bell Syst. Tech. J., Vol. 53, No. 3, 1974, pp. 405-424. 

12. R. L. Graham, D. E. Knuth and O. Pat 2 ishnik, Concrete mathematics, Reading, 
MA: Addison-Wesley, 1990. 

13. U.M. Maurer, Protocols for secret key agreement by public discussion based on 
common information. Advances in Cryptology - CRYPTO ’92, Lecture Notes in 
Computer Science, Berlin; Springer-Verlag, vol. 740, pp. 461-470, 1993. 

14. U. M. Maurer, Secret key agreement by public discussion from common informa- 
tion, IEEE Transactions on Information Theory, vol. IT-39, 1993, pp. 733-742. 

15. U. M. Maurer, The strong secret key rate of discrete random triples. Communica- 
tions and Cryptography, Two Sides of one Tapestry, R.E. Blahut et al. (editors), 
Kluwer Academic Publishers, 1994, pp. 271-285. 

16. U. M. Maurer and P.E, Schmid, A calculus for security bootstrapping in distributed 
systems. Journal of Computer Security, vol. 4, no. 1, pp. 55-80, 1996. 

17. U. M. Maurer and S. Wolf, Towsu'ds characterizing when information-theoretic se- 
cret key agreement is possible, Advances in Cryptology - ASIACRYPT ’96, K. Kim 
and T. Matsumoto (Eds.), Lecture Notes in Computer Science, Berlin: Springer- 
Verlag, vol. 1163, pp. 145-158, 1996. 

18. U.M. Maurer and S. Wolf, The intrinsic conditional mutual information and per- 
fect secrecy, to appear in Proc. 1997 IEEE Symposium on Information Theory, 
(Abstracts), Ulm, Germany, June 29-July 4, 1997, 

19. U. M. Maurer and S. Wolf, Privacy amplification secure against active adversaries, 
preprint, 1997. 

20. R. L. Rivest, A. Shamir, and L. Adleman, A method for obtaining digital signatures 
and public-key cryptosystems. Communications of the ACM, Vol. 21, No. 2, 1978, 

pp. 120-126. 




225 



21. C. E. Shannon, Communication theory of secrecy systems, Bell System Technical 
Journal, Vol. 28, October 1949, pp. 656-715. 

22. G. J. Simmons, Authentication theory /coding theory, in Advances in Cryptology 
- CRYPTO 84, G.R. Blakley and D. Chaum (Eds.), Lecture Notes in Computer 
Science, No. 196, Berlin; Springer Verlag, 1985, pp. 411-431. 

23. D.R. Stinson, Universal hashing and authentication codes, Advances in Cryptol- 
ogy — Proceedings of Crypto ’91, Lecture Notes in Computer Science, Vol. 576, 
Springer- Verlag, Berlin, 1994, pp. 74-85. 

24. M. N. Wegman and J. L. Carter, New hash functions and their use in authentica- 
tion and set equality. Journal of Computer and System Sciences, Vol. 22, 1981, 
pp. 265-279. 

25. A. D. Wyner, The wire-tap channel. Bell System Technical Journal, Vol. 54, no. 8, 
1975, pp. 1355-1387. 




Linear Statistical Weakness of Alleged RC4 
Keystream Generator 



Jovan Dj. Golic * 

School of Electrical Engineering, University of Belgrade 
Bulevar Revolucije 73, 11001 Beograd, Yugoslavia 



Abstract. A keystream generator known as RC4 is analyzed by the lin- 
ear model approach. It is shown that the second binary derivative of the 
least significant bit output sequence is correlated to 1 with the corre- 
lation coefficient close to 15 -2“^" where n is the variable word size of 
RC4. The output sequence length required for the linear statistical weak- 
ness detection may be realistic in high speed applications if n < 8- The 
result can be used to distinguish RC4 from other keystream generators 
and to determine the unknown parameter n, as well as for the plaintext 
uncertainty reduction if n is small. 



1 Introduction 

Any keystream generator for practical stream cipher applications can generally 
be represented as an autonomous finite-state machine whose initial state and 
possibly the next-state and output functions as well are secret key dependent. A 
common type of keystream generators consists of a number of possibly irregularly 
clocked linear feedback shift registers (LFSRs) that are combined by a function 
with or without memory. Standard cryptographic criteria such as a large period, 
a high linear complexity, and good statistical properties are thus relatively easily 
satisfied, see [16], [17], but such a generator may in principle be vulnerable to 
various divide-and-conquer attacks in the known plaintext (or ciphertext-only) 
scenario, where the objective is to reconstruct the secret key controlled LFSR 
initial states from the known keystream sequence, for a survey see [17] and [6]. 
Most the attacks require an exhaustive search over the initial states of a subset 
of the LFSRs, with the exception of a small number of faster cryptanalytic 
attacks which may work for long LFSRs as well, such as fast correlation attacks 

[13] based on iterative probabilistic decoding, the conditional correlation attack 

[14] based on information set decoding, and the inversion attack [10], all on 
regularly clocked LFSRs, and a specific fast correlation attack on irregularly 
clocked LFSRs whose theoretical framework is developed in [8]. In practice, 
the initial state is for resynchronization purposes also made dependent on a 

* This work was done while the author was with the Information Security Research 
Centre, Queensland University of Technology, Brisbane, Australia. This research 
was supported in part by the Science Fund of Serbia, grant #04M02, through the. 
Mathematical Institute, Serbian Academy of Science and Arts. 



W. Fumy (Ed.): Advances in Cryptology - EUROCRYPT ’97, LNCS 1233, pp. 226-238, 1997. 
© Springer-Verlag Berlin Heidelberg 1997 




227 



randomizing key, which is typically sent in the clear before every new message 
to be encrypted. This may open new possibilities for cryptanalytic attacks, see 
[ 2 ]. 

In the open literature, there is a very small number of proposed keystream 
generators that are not based on shift registers. For example, an interesting 
design approach, which may have originated from the table-shuffling principle 
[12], is to use a relatively big table that slowly varies in time under the con- 
trol of itself. A keystream generator [15] publicized in [18] and known as RC4 
(although a public confirmation is still missing) is such an example, which is 
according to [18] widely used in many commercial products, including Lotus 
Notes, Apple Computer’s AOCE, Oracle Secure SQL, and the Cellular Digital 
Packet Data specification [1]. Another, somewhat similar example is a keystream 
generator called ISAAC [11]. Of course, one may also use a set of tables con- 
trolling each other, but this may lead to some divide-and-conquer attacks. The 
resulting schemes are hardly analyzable, and about the only known theoretical 
argument [4] concerns the period of the internal state sequence, but has prob- 
abilistic rather than deterministic nature. Namely, if the internal memory size 
is M and if the next-state function is randomly chosen according to the uni- 
form distribution, then the average cycle and tail lengths are both around 2^^^, 
whereas if the next-state function is in addition required to be invertible, then 
the internal state period (cycle length) is uniformly distributed between 1 and 
2^, with the average value 

The statistical properties of the keystream sequence are typically measured 
by standard statistical tests, and for some sequences, including the LFSR ones, 
theoretical results can be derived as well. For keystream generators like RC4 
such theoretical results are difficult to establish. The results typically deal with 
the relative frequency of occurrence of blocks of successive symbols within a 
period, where the block size is assumed to be smaller than the internal memory 
size. However, it is shown in [7], [9] that for block sizes bigger than M, a linear 
statistical weakness or a so-called linear model always exists and cajr be efficiently 
determined by the linear sequential circuit approximation (LSCA) method [5]. 
The linear statistical weakness is a linear relation among the keystream bits 
that holds with probability different from one half. It turns out [9] that for 
many practical schemes, including the clock-controlled LFSRs, the keystream 
sequence length needed to detect the weakness is considerably shorter than the 
period. Although the weakness may not lead to a significant plaintext uncertainty 
reduction, it is structure dependent and can be used as such to distinguish 
between different types of keystream generators and for secret key reconstruction 
as well. As well, linear models of individual components of a keystream generator 
can be utilized in correlation attacks, whereas multiple linear models can also 
be used to mount fast correlation attacks [8] on clock-controlled LFSRs. 

The main objective of this paper is to derive linear models for RC4 by using 
the LSCA method [5], [9]. The LSCA method consists in determining and solving 
a linear sequential circuit that approximates a given keystream generator and 
yields linear models with comparatively large correlation coefficient c, where 




228 



the probability of the corresponding linear relation among the keystream bits is 
(1 + c)/2. It also gives an estimate of c, but sometimes, as in the case of RC4, 
special techniques have to be developed to obtain more accurate estimates of c. 

Given a parameter n, the internal state of RC4 consists of a balanced table 
(permutation) of 2” binary words of dimension n and two pointer binary words 
of the same dimension, n, which, at each time, define the positions of two words 
in the table to be swapped to produce the table at the next time. The internal 
memory size^ is thus practically given as M = n2” + 2n. One of the pointers is 
updated by using the table content at the position defined by the other, which 
is in turn updated in a known way by a counter. Initially, the two pointer words 
are set to zero and the table content is defined by the secret key in a specified 
way. At each time, the output of RG4 is a binary word of dimension n which is 
taken from an appropriate position in the table. The output word is then bitwise 
added to the plaintext word to give the ciphertext word. 

Let 2 = ( 2 j)^^ denote the least significant bit output sequence of RC4 
and let z = {zt = zt + 2^+1 )^j and z — {zt = zt + zt+ 2 )t^i denote its first 
and second binary derivatives, respectively. Our main results are to show that 
i is correlated neither to 1 nor to 0 and that z is correlated to 1 with the 
correlation coefficient close to 15 • 2“^" for large 2”. Since the output sequence 
length needed to detect a statistical weakness with the correlation coefficient 
c is 0{c~^), the required length is around 64"/225. For example, if n = 8, as 
recommended in most applications, the required length is close to 2^° ~ 10^^. 
Experimental results agree well with the above theoretical predictions. As the 
resulting correlation coefficient is significantly bigger than 2^^^, M — n.2" + 2n, 
the determined linear model should be regarded as a statistical weakness, at 
least on a theoretical level. Moreover, the output sequence length required for 
the detection may even be realistic in high speed applications if n < 8. Also 
note that the second binary derivative weakness involves only three successive 
least significant output bits which is much smaller than the memory size. The 
weakness is a consequence of a very simple next-state function of RC4. It is also 
shown that similar linear relations hold for other output bits as well, but the 
correlation coefficients are smaller. 

In Section 2, a more detailed description of the RC4 keystream generator is 
presented. In Section 3, some relevant correlation properties of random boolean 
functions are derived, while the linear models of RC4 and the corresponding 
correlation coefficients are determined in Section 4. A summary and conclusions 
are given in Section 5. Central moments of an underlying discrete probability 
distribution needed for estimating the correlation coefficients are evaluated in 
the Appendix. 



^ The effective internal memory size is slightly smaller and is according to Stirling’s ap- 
proximation given as log 2" ! -I- 2n « 2" (n - log e) -I- 5n/2 -t- log All the logarithms 

are to the base 2 throughout. 




229 



2 Description of RC4 

We will follow the description given in [18], RC4 is in fact a family of algorithms 
indexed by a parameter n, which is a positive integer typically recommended 
to be equal to 8. The internal state of RC4 at time t consists of a table St = 
(<S't(0)f=o ^ of 2” n-bit words and of two pointer ri-bit words it and jt- So, the 
internal memory size^ is M = n2" + 2n. Let the output n-bit word of RC4 at 
time t be denoted by Zt- As usual, we keep the same notation for the binary and 
integer representations of n-bit words, where, for example, the least significant 
bit is the leftmost one. Let initially io — jo = 0. Then the next-state and output 
functions of RC4 are for every t > 1 defined by 



it — it-i + 1 



( 1 ) 



jt — jt-i + St-i{it) 



( 2 ) 



Stilt) = St-tUi), StUt) = St-tik) 



(3) 



Zt = StiStik) + StUt)) (4) 

where all the additions are modulo 2”. It is assumed that all the words except for 
the swapped ones remain the same (swapping itself is effective only if it ^ jt)- 
The output n-bit word sequence is Z = 

The initial table So is defined in terms of the key string K = 
using the same next-state function starting from the table (identity permutation) 
{l)'i=o^- More precisely, set jo = 0 and for every 1 < f < 2", compute jt = 
(jt_i + St-i{t - 1) Kt-i) mod 2" and then swap St-i{t — l) with St~i{jt)- The 
last produced table represents So- The key string K is composed of the secret 
key, possibly repeated, and of the randomizing key which is sent in the clear for 
resynchronization purposes. 

There are no published results regarding RC4. The known pointer sequence 
ensures that every element in the table is affected by swapping at least 
once in any 2" successive times and, also, that the next-state function is invert- 
ible (one-to-one). Accordingly, the state diagram consists of cycles only, which, 
according to [4], can be expected to have average length close to 2^“^ and are 
very unlikely to be short if n > 5. Of course, since the next-state function of 
RC4 is not randomly chosen, this remains to be proved, if possible at all. 



3 Correlation Properties of Random Boolean Functions 

The correlation coefficients of the linear models of RC4 to be determined in 
the next section are related to certain correlation properties of random boolean 
functions. These properties provide insight into the linear statistical weaknesses 
of RC4 and are as such pointed out in this section. Note that the correlation 




230 



properties of boolean functions for cryptographic applications are first intro- 
duced in [19]. Let / denote an arbitrary boolean function of n variables and let 
f(X) denote the value of / at a point X = {xo, - ■ ■ ,Xn-i) € {0,1}". We will 
use the same notation, X, for the integer representation of X too, that is, for 
A boolean function / is called balanced if it has the same number 
of zeros and ones in its truth table. In the probabilistic analysis to follow, we 
will, for simplicity, keep the same notation for random variables and their values. 
As usual, the correlation coefficient between any two binary random variables x 
and y is defined as c = Pr{r = y} - Pr{x ^ y}. The correlation coefficient of a 
single binary random variable x is defined as the correlation coefficient between 
X and the constant zero variable. Accordingly, let for any two boolean functions 
/ and g, c{f,g) denote the correlation coefficient between f{X) and g{X), and 
let c(/) stand for c(/, 0), where X is uniformly distributed. A basic result to be 
used is that the correlation coefficient of a sum of independent binary random 
variables is equal to the product of their individual correlation coefficients, see 
[9] (addition of binary variables is modulo 2 throughout) . 

Proposition!. Let X andY be two independent uniformly distributed n-dimen- 
sional binary random variables and let f be a uniformly random boolean function 
of n variables. Let I be an arbitrary linear boolean function of n variables ( in- 
cluding the constant zero function). Then the correlation coefficient c between 
f{X) -b f(Y) and 1{X) -f- 1{Y) is equal to 1/2". (Instead of being linear, I may 
be any boolean function of n variables.) 

Proof. Let c/ denote the correlation coefficient between f(X)-\-l{X) and f(Y) + 
1{Y) for any fixed /. The correlation coefficient c is then equal to the expected 
value of c/ over uniformly random /. The correlation coefficient c/ is clearly 
equal to the correlation coefficient of f{X) -b 1{X) -b f{Y) -b l(Y) which is in 
turn equal to the product of the correlation coefficients of f{X) + I (X) and 
f{Y) -b 1{Y), as X and Y are independent. Since the two are equal, we get that 
Cf = c{f,l)^. Since I is fixed, c is then equal to the expected value E{c{f)^), 
where c(/) is itself given as — 2"“^) with k being the number of zeros 

in the truth table of /. As A: has the binomial distribution , it 

follows that E{c{f)^) = 2^^*“")Var(fc) = 2“", because the variance Var(fc) is 
equal to 2”-^. □ 

Proposition 2. Let X andY be two independent uniformly distributed n-dimen- 
sional binary random variables and let f be a uniformly random balanced boolean 
function of n variables. Let I be an arbitrary nonzero linear boolean function of 
n variables. Then the correlation coefficient of f{X) I- f{Y) is equal to zero and 
the correlation coefficient c between f{X) + f(Y) and 1{X) -b 1{Y) is equal to 
1/(2" — 1). (Instead of being linear, I may be any balanced boolean function of n 
variables.) 

Proof. First note that for any balanced /, the correlation coefficient of f{X) is 
equal to zero. Then the correlation coefficient of f{X) -b f(Y) is equal to zero 




231 



since, for any fixed /, it is the product of two zero correlation coefficients. Second, 
proceeding along similar lines as in the proof of Proposition 1, we get that 
c = E{c(f,l)'^). Since I is balanced and fixed, c{f,l) is given as — 2""^) 

where k is the number of zeros in the half of the truth table of / where 1{X) = 0. 

The probability distribution of A: is < (^ ) /(jn-i) I with the variance 

I J k=0 

Var(A;) = 22<"-2)/(2" - 1 ). Hence E{c{f,l)^) = 22<2-«)Var(A;) = 1/(2" - 1). □ 

Propositions. Let I be an arbitrary nonzero linear boolean function of n vari- 
ables and let f be a uniformly random balanced boolean function of n variables 
such that c{f, 1) = c where c is a given constant. Then the correlation coefficient 
of f{X) + 1{X) is equal to c for any fixed X . (Instead of being linear, I may be 
any balanced boolean function of n variables.) 

Proposition 4. Let X be a uniformly distributed n-dimensional binary random 
variable and let f be a uniformly random balanced boolean function ofn variables. 
Let X -\-l denote the integer addition modulo 2" of X and 1. Then the correlation 
coefficient o/ /(X) + /(X + 1) + 1 is equal to 1/(2" — 1). Furthermore, let I be a 
linear function defined as 1{X) — xq and let f be in addition such that c{f,l) = c 
where c is a given constant. Then the correlation coefficient o//(X)+/(X + l) + l 
is equal to <? for any fixed X. (Instead o/ X + 1, one may take any permutation 
P{X) such that P{X) 5 ^ X, X e {0,1}", but then a balanced function I has to 
be defined appropriately.) 



4 Linear Models 

The essence of the linear sequential circuit approximation (LSCA) method [5], 
[9] applied to binary keystream generators is in finding good linear approxi- 
mations to the output and the component next-state functions and in solving 
the resulting linear sequential circuit. Its objective is to obtain feedforward lin- 
ear transforms (i.e., linear sequential transforms with finite input memory) of 
the output sequence that are correlated to linear transforms of the initial state 
variables (to be used in correlation attacks) and, in particular, to the constant 
zero sequence, in which case the output linear transform defines a linear relation 
among the output bits that holds with probability different from one half. The 
resulting probabilistic linear recursion is called a linear model [9] . Estimating the 
correlation coefficients can be a problem on its own. In the underlying probabilis- 
tic model, the initial state is assumed to be random and uniformly distributed, 
and if the next-state function is one-to-one, then the internal state at any time is 
also uniformly distributed, so that the resulting correlation coefficients are time 
independent, see [9]. 

In the case of RC4, the next-state function is one-to-one and the balanced 
initial table So (each n-bit word appears exactly once) can be assumed to be 
uniformly random, but the initial pointer words io and jo are both fixed to zero. 
It follows that for every t > 0, the table St is uniformly random and balanced. 




232 



whereas it is deterministic and known and jt is uniformly distributed for t > 1, 
but dependent on St- As a consequence, while the dependence between jt and 
St is insignificant, the deterministic nature of it may in principle lead to linear 
models with time dependent correlation coefficients. A related approach is to 
fix the initial state and to consider the same linear relation at random times, in 
which case the average value of the correlation coefficient over time is relevant. If 
the tail and cycle lengths combined are big (as one should expect for RC4), then 
the obtained correlation coefficient should be close to the value corresponding 
to a fixed time and a random initial state. 

Since RC4 has n binary outputs, one should first decide on a linear com- 
bination of these outputs to be linearly approximated. To maximize the cor- 
relation coefficients, we will consider the individual binary outputs. Let 

3t^\ and S^^^ denote the fcth components of Zt, it, jt, and St, respectively, 
0 < k < n — 1, where k = 0 corresponds to the least significant bit of the 
corresponding n-bit words. Note that St defines a uniformly random balanced 
vectorial boolean function {0,1}“ — > (0, 1}“, so that St^^ is a uniformly ran- 
dom balanced boolean function of n variables. As the linearization of Zt and jt 
necessarily involves finding linear approximations to St, the problem is to find 
such approximations leading to the correlation coefficients that do not vanish 
for a random St- The main point of the LSCA method applied to RC4 is that 
St can be approximated by St-i, because of the slow change of the table due 
to swapping. Another point is that can be approximated by any linear 

function of its inputs, but to maximize the overall correlation coefficient, is 
approximated by its /cth binary input. As before, all the additions of Z-bit words 
are integer additions modulo 2' (usually, Z = 1 or Z = n). 

As a result, we get Zt'^^ « -t- 1) + Slt\(jt-i + 5't_i(Z(-i -I- 1)) « 

, where is linearized exactly twice. It then follows that Zt'^^ + Z\+i « 

jt-\ ^ where is known for every t > 1. The total number of linear 
approximations needed is five. In order for the overall correlation coefficient 
not to vanish, the total number of linear approximations to S^^\ should be even, 
because positive and negative correlation coefficients would otherwise cancel out. 
More precisely, Proposition 2 can be extended to deal with an arbitrary number 
of linear approximations, in which case the resulting correlation coefficient is 
related to the central moments of the probability distribution considered in the 
Appendix, and the odd central moments are necessarily equal to zero. So, the first 
binary derivative of any binary component of the n-dimensional output sequence 
does not represent a linear model with a nonzero correlation coefficient. 

Further, by adding two successive bits of the first binary derivative sequence 
we get that Z^^^ + ~ which is further equal to 1 if fc = 0 and can 

be approximated asOifl<Zc<n— 1. The total number of linear approximations 
needed for this is at most ten and will be shown be equal to six. Accordingly, 
the second binary derivative of any binary component of the output sequence 
defines a linear model with a nonzero correlation correlation coefficient, to be 
determined in the sequel. The most significant correlation coefficient is obtained 




233 



for the least significant bit, that is, for k = 0. Other linear models for RC4 should 
have smaller or much smaller correlation coefficients. 

Our objective now is to estimate the correlation coefficient between the sec- 
ond binary derivative -I- Z^^^ 1, for any t > 1. Letting F = St, 

F' = St+i, F" = St+ 2 , X = it, and y = jt, we have 

^(0) ^ + 

F"^^\F"{X -t- 2) + F”{Y + F{X 4- 1) -h F'{X + 2))) (5) 

where Y is uniformly distributed, F is a uniformly random balanced vectorial 
boolean function, and F' and F" are obtained from F by one and two random 
swappings of two n-bit words, respectively, whereas X is fixed for any particular 
t and is uniformly distributed for a random t. 

The direct computation of the correlation coefficient by using (5) is not pos- 
sible since the functions F, F', and F" are random. The starting point of our 



approach is forming the following series of linear approximations: 

F"(°^(F"(X + 2) + F"(Y -I- F(X -I- 1) -h F'(X + 2))) (6) 

F(°^(X) + F^°^(Y) + 

F”(°\X -h 2) -b + 1) + + 2)) (7) 

a F^°\X) + F(“>(y) -I- F"(°)(X + 2) + 

y(°> +F<°)(X-bl)-bF'(°>(X + 2) (8) 

« F(°)(X) -t- y(°> 4- F"(°^(X + 2)4- 
y(o) +i?(o)(^Y + l) + F'‘“>(X+2) (9) 

«F(°)(X)+F<o)(X + 1) (10) 

« 1 . ( 11 ) 



The next point is to observe that the correlation coefficients of the individ- 
ual linear approximations can be computed if conditioned on the random func- 
tions in an appropriate way. Let c/ = c(F^°^, X*®'), c'^ = c(F'^°\ X^°^), and 
c'^ = c(F"^°^, X^°l) be the correlation coefficients between F^°l and p'W 

and and F"^”' and respectively, where the subscript / indicates the 
dependence upon a particular balanced boolean function / (here / = F^®^). 
Then the linear approximations (6), (7), (8), and (9) hold with the correlation 
coefficients c/, c'^, Cp and Cf, respectively, where F^°^, F'^°\ and F"*°) are fixed 
and X is either uniformly distributed or fixed. The linear approximation (10) 
holds for any fixed X with the correlation coefficient e'^, = 1 — (condi- 

tioned on m') if F'^°^ is a uniformly random balanced boolean function and if 
F"(o) is produced from F'^°^ by a random effective change, due to swapping, of 
m' bits, where, as before, m' takes values 0 and 2, each with probability 1/2. The 
linear approximation (11) holds for any fixed X with correlation coefficient if 
F^°) is a uniformly random balanced boolean function with a fixed correlation 
coefficient Cf to see Proposition 4. 




234 



Now, let m denote the number of bits where and are effectively dif- 
ferent. Under the independence assumption that the individual linear approxima- 
tions are independent when conditioned on c/, m', and m, the correlation coeffi- 
cient between and 1 is given as c^fc'pe'^, , where c'j = CfEm, £m = 1 
if F^^^ is a uniformly random balanced boolean function with a fixed correla- 
tion coefficient c/ to where X is either uniformly distributed or fixed. The 
resulting correlation coefficient conditioned on Cf, m', and m is thus equal to 
c® . Note that the independence assumption seems to be the only tractable 
way of combining the individual linear approximations. 

Consequently, the overall correlation coefficient is then given as 

c = E{c]) ■ E{el) ■ E{e'^.) (12) 

where the expectations are over random cj,m, and m', respectively (for simplic- 
ity, it is assumed that the random variables m' and m are independent) . From the 
proof of Proposition 2, recall that Cf can be expressed as 2^~”(fc — 2”~^) where 
k (standing for the number of zeros in the half of the truth table of / = 
where = 0) has the probability distribution 

( 2 "-^ 

Pr{^} = 0<fc<2"-C (13) 

The random variable m' takes values 0 and 2 each witli probability 1/2, so that 
£(40 = 4(m') = 1-2'-" (14) 

which tends to 1 as 2" increases. 

The probability distribution of m is not straightforward to derive. By careful 
combinatorial analysis, one can prove the following result. 

Lemma 5. Let f be a uniformly random balanced boolean function of n vari- 
ables and let f" be a boolean function obtained from f first by swapping the bits 
defined by input variables X and Y and, then, by additional swapping the bits 
defined by X I and Y' , where X is fixed or random and Y and Y' are inde- 
pendent uniformly distributed n-dimensional binary random variables. Let m be 
the number of bits where f and /" are different and let N = 2”. Then m is a 
random variable with the following probability distribution 



Pr{m = 0} = 


-N + 2 
4N{N - 1) 


(15) 


Pr{m = 2) = 


2N^ + N -6 
4N{N - 1) 


(16) 



Pr{7Ti = 4} 



[N - 2)2 
4X(7V- 1)' 



(17) 




235 



The expected value of m is given by 



E{m) 



-7N + 2 
2N{N -\) 



(18) 



Note that E{m) < 2 since effective changes in two successive swappings can 
cancel out, but as N increases, we have that Pr{m = 0} ~ 1/4, Pr{m = 2} ~ 
1/2, Pr{m = 4} ~ 1/4, and E{m) ~ 2, as should be expected. Accordingly, we 
get 



E{el) 



N* - 9N^ + 38A12 _ g4^ ^ 4 Q 
N^{N - 1 ) 



(19) 



which, of course, tends to 1 as iV 2” increases. 

Finally, it remains to compute the main product factor in (12), that is, E(c^). 
According to (13), we then have 

E(cj) ^ (20) 

where pe is the 6th central moment of the probability distribution (13), that is, 



2n-l 

pe = J2(k- 2 "-^)« ^ ^ 15 • ( 21 ) 

k=o 



see the Appendix. It is crucial to observe that the exponent, 6, is even, so that 
fiQ is necessarily different from zero. 

The equation (12) together with (20), (21), (19), and (14) then determines 
the overall correlation coefficient c which can be easily computed for any n of 
interest, and, as 2" increases we have 



c ~ 15 -2-^”. 



( 22 ) 



The necessary sequence length to detect with high probability the second binary 
derivative statistical weakness is 0(c~^) [9], that is, neglecting a small constant 
less than 10, 

L w 2®"/225 Si « ioi-8"-2.35^ (23) 

As the memory size of RC4 \s M = n,2” + 2n, we get L x (M/(2.466 log M))®. 

For example, for n = 4,6,8, we computed the following values for /xg and c: 
/X6 « 16.1716 and c w 2.2•10-^ pe « 975.762 and c « 4.97-10~®, pe « 61682.916 
and c w 8.67 • 10“^, respectively. In fact, for n > 4, the approximation to /xg 
included in (21) is also very good. The estimates of c obtained by computer 
simulations for n = 4 and n = 6 are c = 1.34 ■ 10“® and c = 1.95 ■ 10”®, 
respectively. The first estimate is an average value for 5 output sequences each 
of length 10^^ and the second one is an average value for 10 output sequences 
each of length where each sequence is produced from a randomly chosen 

initial state. One may observe that the estimates are roughly by 50% smaller 




236 



that the values predicted by theory. This shows that the influence of the utilized 
linear approximations being dependent is relatively small. The difference may 
also be due to the fact that the correlation coefficient estimates are essentially 
obtained by averaging over time rather than over random initial states. 

5 Conclusions 

The linear model approach aiming at finding linear relations among the keystream 
bits that hold with probability different from one half is applied to the RC4 
keystream generator. It is first shown by the linear sequential circuit approx- 
imation method that the first and the second binary derivative of the least 
significant bit output sequence may yield such linear relations. A specific tech- 
nique involving correlation properties of random balanced boolean functions is 
then developed to study the corresponding correlation coefficients. It is thus 
proven that the correlation coefficient for the first binary derivative is equal to 
zero and, more importantly, that the correlation coefficient between the second 
binary derivative and 1 is around 15 • 2“^” where n is the word size of RC4. The 
theoretical result derived agrees well with the experimental results obtained by 
computer simulations. 

The output sequence length needed to detect the corresponding linear statis- 
tical weakness is then around 64”/225, which is significantly smaller than 2^ , 
where M = n2" -t- 2n is the memory size, and may even be realistic in high speed 
applications. Although the resulting plaintext uncertainty reduction may not be 
practically important unless n is small, the determined linear model can be used 
to distinguish RC4 from other keystream generators and, also, to recover the 
unknown parameter n. Whether the linear model indicates that the initial state 
reconstruction from the known output sequence is also possible remains to be 
further investigated. 

Appendix 

Consider a discrete probability distribution \{^) / [ where is a posi- 

tive integer. For any positive integer r, the central moment of this probability 
distribution is defined as 

k-0 V2i/1 

Our objective here is to study the asymptotics of a,s p increases. First note 
that /ir = 0 if r is odd. Assume then that r is even. By using the well-known 
normal approximation to the binomial coefficients, obtained by Stirling’s formula 
n! ~ along with a uniform convergence argument regarding this 

approximation (e.g., see [3, pp. 179-186]), it is easy to see that 

^r/2 i-oo 

/i,- ~ 7 = / x’e * (25) 

2’•^/^y_oo 




as 1 / — > 00 . For r even, this reduces to 



237 



Mr ~ 






r + 1 



(26) 



where r{z) = ^dx is the well-known gamma function. Finally, we 

obtain 



Mr~^(r-1)!! (27) 

where (r — 1)!! = 1 • 3 • • ■ (r — 1). 

Acknowledgments 

The author is grateful to Lars Knudsen and Andrew Klapper for providing the 
correlation coefficient estimates by computer simulations. Part of this work was 
carried out while the author was on leave at the Isaac Newton Institute for 
Mathematical Sciences, Cambridge, United Kingdom. 

References 

1. Ameritech Mobile Communications et al., ’’Cellular digital packet data system 
specifications, part 406: airlink security,” CDPD Industry Input Coordinator, 
Costa Mesa, Calif., July 1993. 

2. J. Daemen, R. Govaerts, and J. Vandewalle, ’’Resynchronization weakness in syn- 
chronous stream ciphers,” Advances in Cryptology - EUR.OCRYPT ’92, Lecture 
Notes in Computer Science, vol. 765, T. Helleseth ed., Springer- Verlag, pp. 159- 
167, 1994. 

3. W. Feller, An Introduction to Probability Theory and its Applications. New York: 
Wiley, 3. edition, vol. 1, 1968. 

4. P. Flajolet and A. M. Odlyzko, ’’Random mapping statistics,” Advance.s in Cryp- 
tology - EUROCRYPT ’89, Lecture Notes in Computer Science, vol. 434, J.-J. 
Quisquater and J. Vandewalle eds., Springer- Verlag, pp. 329-354, 1990. 

5. J. Dj. Golic, ’’Correlation via linear sequential circuit approximation of combin- 
ers with memory,” Advances in Cryptology - EUROCRYPT ’92, Lecture Notes in 
Computer Science, vol. 658, R. A. Rueppel ed., Springer-Verlag, pp. 113-123, 1993. 

6. J. Dj. Golic, ”On the security of shift register based keystream generators,” Fast 
Software Encryption - Cambridge ’93, Lecture Notes in Computer Science, vol. 
809, R. J. Anderson ed., Springer-Verlag, pp. 90-100, 1994. 

7. J. Dj. Golic, ’’Intrinsic statistical weakness of keystream generators,” Advances in 
Cryptology - ASIACRYPT ’94, Lecture Notes in Computer Science, vol. 917, J. 
Pieprzyk and R. Safavi-Naini eds., Springer-Verlag, pp. 91-103, 1995. 

8. J. Dj. Golic, ’’Towards fast correlation attacks on irregularly clocked shift regis- 
ters,” Advances in Cryptology - EUROCRYPT ’95, Lecture Notes in Computer 
Science, vol. 921, L. C. Guillou and J.-J. Quisquater eds., Springer-Verlag, pp. 
248-262, 1995. 




238 



9. J. Dj. Golic, ’’Linear models for keystream generators,” IEEE Trans. Computers , 
vol. C-45, pp. 41-49, Jan. 1996. 

10. J. Dj. Golic, ”On the security of nonlinear filter generators,” Fast Software Encryp- 
tion - Cambridge ’96, Lecture Notes in Computer Science, vol. 1039, D. Gollmann 
ed.. Springer- Verlag, pp. 173-188, 1996. 

11. R. J. Jenkins Jr., ’’ISAAC,” Fast Software Encryption - Cambridge ’96, Lecture 
Notes in Computer Science, vol. 1039, D. Gollmann ed., Springer- Verlag, pp. 41- 
49, 1996. 

12. M. D. MacLaren and G. Marsaglia, ’’Uniform random number generation,” J. 
ACM, vol. 15, pp. 83-89, 1965. 

13. W. Meier and O. Staffelbach, ’’Fast correlation attacks on certain stream ciphers,” 
Journal of Cryptology , vol. 1(3), pp. 159-176, 1989. 

14. W. Meier and O. Staffelbach, ’’Correlation properties of combiners with memory 
in stream ciphers,” Journal of Cryptology , vol. 5(1), pp. 67-86, 1992. 

15. R. L. Rivest, ’’The RC4 encryption algorithm,” RSA Data Security, Inc., Mar. 
1992. 

16. R. A. Rueppel, Analysis and Design of Stream Ciphers. Berlin: Springer- Verlag, 
1986. 

17. R. A. Rueppel, ’’Stream ciphers,” Contemporary Cryptology: The Science of Infor- 
mation Integrity, G. Simmons ed., pp. 65-134. New York: IEEE Press, 1991. 

18. B. Schneier, Applied Cryptography. New- York: Wiley, 1996. 

19. T. Siegenthaler, ’’Correlation immunity of nonlinear combining functions for cryp- 
tographic applications,” IEEE Trans. Inform. Theory, vol. IT-30, pp. 776-780, 
Sept. 1984. 




Cryptanalysis of Alleged A5 Stream Cipher 



Jo van Dj. Golic * 

School of Electrical Engineering, University of Belgrade 
Bulevar Revolucije 73, 11001 Beograd, Yugoslavia 



Abstract. A binary stream cipher, known as A5, consisting of three 
short LFSRs of total length 64 that are mutually clocked in the stop/go 
manner is cryptanalyzed. It is allegedly used in the GSM standard for dig- 
ital cellular mobile telephones. Very short keystream sequences are gen- 
erated from different initial states obtained by combining a 64-bit secret 
session key and a known 22-bit public key. A basic divide-and-conquer 
attack recovering the unknown initial state from a known keystream 
sequence is first introduced. It exploits the specific clocking rule used 
and has average computational complexity around 2'*°. A time- memory 
trade-off attack based on the birthday paradox which yields the unknown 
internal state at a known time for a known keystream sequence is then 
pointed out. The attack is successful if T ■ M > 2®® where T and M 
are the required computational time and memory (in 128-bit words), re- 
spectively. The precomputation time is 0{M) and the required number 
of known keystream sequences generated from different public keys is 
about T/102. For example, one can choose T =s 2 ^^ ®^ and M w 2 ®® ®®. 
To obtain the secret session key from the determined internal state, a 
so-called internal state reversion attack is proposed and analyzed by the 
theory of critical and subcritical branching processes. 



1 Introduction 

A common type of keystream generators for additive stream cipher applications 
consists of a number of possibly irregularly clocked linear feedback shift registers 
(LFSRs) that are combined by a function with or without memory. Standard 
cryptographic criteria such as a large period, a high linear complexity, and good 
statistical properties are thus relatively easily satisfied, see [12]. However, such 
a generator may in principle be vulnerable to various divide-and-conquer at- 
tacks in the known plaintext (or ciphertext-only) scenario, where the objective 
is to reconstruct the secret key controlled LFSR initial states from the known 
keystream sequence, for a survey see [12] and [5]. In practice, for resynchroniza- 
tion purposes, the internal state of a keystream generator is reinitialized once in 

This work was done while the author was with the Information Security Research 
Centre, Queensland University of Technology, Brisbane, Australia. Part of this work 
was carried out while the author was on leave at the Isaac Newton Institute for 
Mathematical Sciences, Cambridge, United Kingdom. This research was supported 
in part by the Science Fund of Serbia, grant #04M02, through the Mathematical 
Institute, Serbian Academy of Science and Arts. 



W. Fumy (Ed.): Advances in Cryptology - EUROCRYPT ’97, LNCS 1233, pp. 239-255, 1997. 
© Springer- Verlag Berlin Heidelberg 1997 




240 



a while by combining the same secret session key with different randomizing keys 
(typically transmitted in the clear and called here public) into the secret message 
keys defining different initial internal states. This may open new possibilities for 
the secret key recovery cryptanalytic attacks, see [3]. 

In this paper, a key stream generator consisting of three short binary LFSRs 
with known primitive feedback polynomials that are mutually clocked in the 
stop/go manner is cryptanalyzed. The LFSR lengths are 19, 22, and 23, respec- 
tively, and the total length is thus 64. Middle taps in each of the LFSRs are used 
to define the clock-control sequence, the clocking rule is such that at least two 
LFSRs are effectively clocked per each output bit, and the keystream sequence is 
formed as the bitwise sura of the three stop/go clocked LFSR sequences. The 64- 
bit long secret key is nonlinearly combined with a 22-bit long public key (frame 
number) to form the LFSR initial states. The first 100 output bits are discarded 
and the message length is only 114 bits (frequent resynchronization). However, 
the full-duplex communication mode makes the effective message length of 228 
bits. The scheme along with the code has been made public in [1] and is allegedly 
used under the name A5 for stream cipher encryption in the GSM standard for 
digital cellular mobile telephones, see [13]. For simplicity, the name A5 is used 
here throughout. In a yet unpublished paper [14], it has been observed, perhaps 
surprisingly, that the period of the keystream sequence is only slightly bigger 
than the period, w 2^^, of the longest LFSR. A possibility for a divide-and- 
conquer attack of average complexity has been mentioned in [1] and [13]. 
The attack would consist in guessing the initial states of the two shorter LFSRs 
and, then, in computing the longest LFSR sequence from the known keystream 
sequence. However, this attack can not work, because the clocking depends on 
the unknown longest LFSR sequence as well. In addition, one has to take care 
of the first 100 output bits being discarded as well. 

Although one may in principle imagine that edit distance or edit probability 
correlation attacks [4] can be adapted to deal with stop/go clocking, such attacks 
are not likely to be successful on A5, because of a very short available keystream 
sequence. Due to the bitwise summation, to achieve a divide-and-conquer effect, 
one or two LFSRs have to be replaced by their linear models [7], where linear 
models of individual LFSRs can be based on the repetition property only, while 
linear models of pairs of the LFSRs must involve their feedback polynomials as 
well. Instead of the so-called shrunk feedback polynomials [7], we now have to 
introduce the expanded feedback polynomials. If the whole scheme is replaced 
by the corresponding linear model, one may then even conceive of a fast corre- 
lation attack framework similar to the one from [6], but the required keystream 
sequence length would be much bigger than the one at disposal- On the other 
hand, the conditional correlation attack [11] based on the repetition property 
can not be extended to deal with A5, because of the specific clocking rule. 

The objective of this paper is to develop cryptanalytic attacks on A5 that 
can reconstruct the 64-bit secret key in the known plaintext scenario with the 
computational complexity smaller than 2®''. In Section 2, a more detailed descrip- 
tion of the A5 stream cipher is presented. It is shown that the known plaintext 




241 



attacks are very realistic in the GSM applications. In Section 3, a basic divide- 
and-conquer attack on A5 with the average computational complexity is 

introduced. It essentially consists in guessing some bits of the LFSR states, in 
recovering the others by solving appropriate linear equations, and in the LFSR 
states reversion via the unknown binary clocking sequences to obtain the LFSR 
initial states. The last step is needed since the first 100 output sequence bits are 
discarded. In Section 4, a time-memory trade-off attack based on the birthday 
paradox probabilistic argument is pointed out. This attack is feasible due to 
relatively short internal state size of 64 bits. It can recover the LFSR internal 
states for a particular keystream sequence at a particular time and is successful if 
T M > where T and M are the required computational time and memory, 

respectively. The precomputation time is 0{M) and a sample of T/102 228-bit 
long observed keystream sequences generated from the same secret session key 
and different public keys is needed. To obtain the secret key, a low-complexity 
internal state reversion attack is then proposed in Section 5. It consists in the 
reversion of the I/FSR internal states, first when the output sequence is known, 
then when the output sequence is unknown, and finally when the secret key is 
nonlinearly combined with the known public key. The complexity of the attack 
is analyzed by the theory of critical and subcritical branching processes, briefly 
outlined in the Appendix. Conclusions are given in Section 6 . 

2 Description of the Stream Cipher 

The stream cipher algorithm to be defined is for simplicity called A5 according 
to [1], [13]. The A5 type keystream generator considered is shown in Fig. 1. 

Let fi{z) = denote a known binary primitive feedback polynomial 

of LFSRj of length r,, i = 1,2,3, and let rj = 19, C 2 = 22, and rs = 23. 
The feedback polynomials specified in [1], [13] are sparse, but our cryptanalytic 
methods to be presented do not depend on their choice. Let ^^(O) = (a;i(t))[io^ 
denote the initial state of LFSRj and let Xi — (a:i(t))“o denote the corresponding 
maximum-length sequence of period 2 ''’ — 1 produced by LFSRi via the linear 
recursion fi,i Xi{t r,-. 

Let Si{t) — denote the state of LFSR, at time t > 0 in a scheme 

with stop/go clocking to be defined below, and let ti denote a middle tap from 
LFSR, used for clock-control. The values suggested in [ 1 ] are ri = 10, T 2 = 11, 
and T 3 = 12. Then the clock-control sequence C — (C(t))“ ^ is defined by 

C{t) = 9(si,r,(f - l),S2.r2(f - 1),S3,T3(< - 1)) (1) 

where ^ is a 4-valued majority function of three binary variables such that 
(/(si, 52 , 53 ) = {i,j} if Si = Sj / Sk for i < j and k i,j, and g{si, 82 , 83 ) = 
{1, 2, 3} if Si = S 2 = 53 . The clock-control value C{t) defines which LFSRs are 
clocked to produce an output bit y{t) as the sum 



y{t) = Sl,i(t) + S2,l(t) +S3j(t), t > 1. 



( 2 ) 




242 




*/(«) 



Fig. 1. Alleged A5 type keystream generator. 



Let Ci = (ci(t))^i denote the binary docking sequence for LFSRi (it is clocked 
if Ci(t) — 1 and not clocked if Cj(i) = 0) which is derived from the clock-control 
sequence C in an obvious way. Equation (2) can formally be used to generate the 
initial bit y(0) from 5(0), so that y = (t/(t))^o called the output sequence. The 
first 100 output bits, are discarded, the following 114 bits are used as 

the keystream for one direction of communication in the full-duplex mode, then 
the next 100 bits are again discarded, and the following 114 bits are used as the 
keystream for the reverse direction of communication. The encrypted messages 
are thus very short and the resynchronization is frequent. 

The LFSR initial states are defined in terms of the secret and public keys. 
The public key is a known 22-bit frame number generated by a counter and hence 
different for every new message. The 64-bit secret session key is first loaded into 
the LFSRs (the all-zero initial state is avoided by setting the output of the last 
stage to 1) and the 22-bit public key is then bitwise added into the feedback 
path of each of the LFSRs that are mutually clocked as above. More precisely, if 
P = (p(*))t=- 2 i denotes the public key, then for every —21 < f < 0, the LFSRs 
are first stop/go clocked as before and, then, the bit p{t) is added to the last 
stage of each of the LFSRs. The LFSR states after these 22 steps, as a secret 
message key, represent the initial LFSR states for the keystream generation. 

The A5 stream cipher is allegedly used to encrypt the links between individ- 
ual cellular mobile telephone users and the base station in the GSM system, see 
[13]. Therefore, if two users want to communicate to each other via their base sta- 
tion(s), the same messages get encrypted twice which makes the known plaintext 
cryptanalytic attack possible, provided a cooperative insider user can be estab- 
lished. Note also that the links between the base stations are not encrypted. For 









243 



any user, a 64-bit secret session key is generated by another algorithm from the 
secret master key specific to the user and a public random 128-bit key transmit- 
ted in the clear from the base station to the user. So, a possible reconstruction 
of one or more session keys for a user opens a door for a cryptanalytic attack on 
the master key of that user. 

3 Basic Attack 

The objective of a divide-and-conquer attack to be presented in this section is 
to determine the LFSR initial states from a known keystream sequence corre- 
sponding to only one known plaintext-ciphertext pair. In fact, only about 64 
known successive keystream bits are required. Let S{t) = (5i(t),52(t),5'3(t)) 
denote the whole internal state of A5 at time t > 0, where 5(0) is the initial 
internal state defined by the secret message key. The known keystream sequence 
is in fact composed of two segments (j/(t))?iloi and The first goal 

is to reconstruct the internal state 5(101) and the second one is to determine 
5(0) = (5i(0), 52(0), 53(0)) from 5(101). 

Recall that a = (cj(t))^i denotes the binary clocking sequence for LFSRj, 
which is clocked if Ci(t) - 1 and not clocked if Ci(t) = 0. If Ai denotes the 
state-transition matrix of regularly clocked LFSRq then 

Si(t) = (3) 

with the integer summation in the exponent. Also, let Xi = (xj(t))J^o denote 
the stop/go clocked LFSR, sequence, where ii{t) = sqi(f). In the probabilistic 
analysis to follow, a sequence of independent uniformly distributed random vari- 
ables, over any finite set, is called purely random. As usual, we keep the same 
notation for random variables and their values. 

Proposition!. Assume that the three regularly clocked LFSR sequences are 
mutually independent and purely random. Then the 4-valued clock-control se- 
quence C is purely random and, hence, the binary clocking sequence Ci is a se- 
quence of independent identically distributed binary random variables with the 
probability of zero being equal to 1/4. 

Proposition 2. Assume that the three regularly clocked LFSR sequences are 
mutually independent and purely random. Then the bitwise sum of any two or 
more stop/go clocked sequences Xi is purely random. 

It is shown in Section 5 that the state-transition function of A5 is not one- 
to-one, so that the set of all reachable internal states at time t, t > 1, is a subset 
of the set 5 q of all 2®^ initial states. In particular, only 5 ■ 2®^ « 2®^ ®^ internal 
states are reachable for t = 1 . As a consequence, different initial states can give 
rise to the same internal state at some time in future or even to the same output 
sequence too. This is explained in terms of the theory of branching processes 
in Section 5. More precisely, the number of different initial states giving rise to 




244 



the same internal state at some time in future is very likely linear in that time 
and, therefore, relatively small for the times of interest (internal state reversion 
when the output is not known, Subsection 5.1). On the other hand, the num- 
ber of different initial states yielding the same internal state at some time in 
future and the same output sequence is very likely to be a very small integer 
(internal state reversion when the output is known, Subsection 5.2). In addi- 
tion, since the individual LFSR sequences axe maximum-length sequences with 
good (low) autocorrelation and crosscorrelation properties and the combining 
function is maximum-order correlation immune, it is highly likely that different 
output sequences y = (?/(<))^o different on the first successive 64 positions, 

iymu 

Consequently, it takes about 64 successive keystream bits to check if an 
assumed preceding internal state is consistent with the subsequent output se- 
quence. The expected number of solutions for 5(101) is with high probability a 
small integer, whereas the the number of solutions for 5(0) (equivalent initial 
states) is very likely to be relatively small. 

3.1 Internal state reconstruction 

Let 5(101) be the internal state to be determined in the first stage of the attack. 
Since the number of reachable states 5(101) is not bigger than and the 

unreachable ones can be simply characterized by a set of linear equations, in 
the average complexity analysis given below we can simply take 63.32 instead 
of 64. For every i = 1,2,3, first guess n bits (si, i(101))[i'^"’’^ of 5i(101) if 
n < - Ti 4- 1, and, if not, then also guess the next n - fj -h Tj - 1 bits 

produced by the linear recursion from 5j(101). In any case, one thus obtains 
3n linearly independent equations for unknown bits of 5(101), provided that 
n < 19. Since the assumed bits on average define 4n/3 elements of the clock- 
control sequence, one can thus form 1 -l-4n/3 additional linear equations, where 
the first one is clearly obtained from the first keystream bit y(lOl) without using 
the clock-control sequence. The additional linear equations are mutually linearly 
independent, provided that n < 18, because each one then contains at least two 
new bits that have not appeared before. They are linearly independent of the 
first 3n equations if and only if each of them contains at least one new bit that 
is not already guessed. This happens with high probability if 

n < max(Ti,r 2 ,T 3 ) - 1. (4) 

If not, then the last among the additional equations will necessarily involve some 
of the already guessed bits and will with high probability be linearly dependent 
on the first 3n equations. Suppose first that the condition (4) is satisfied. Then 
all the obtained linear equations are with high probability linearly independent, 
so that the internal state can be determined uniquely if 1 + 3n -I- 4n/3 > 63.32, 
that is, if n > 14.38 (it follows that max(n, T 2 , xs) > 16). The obtained state 
should then be tested for correctness on additional 3n keystream bits on average. 
The computational complexity is then and the total required keystream 




245 



sequence length is about 64 successive bits (we keep the fractions since we deal 
with the average case complexity). 

Suppose now that max(ri,T 2 ,T 3 ) < 15, which means that the condition 
(4) is not satisfied, as is the case in the particular proposal from [1], where 
max(ri, T 2 ,r 3 ) = rs = 12. In this case, the last of the additional equations are 
with high probability linearly dependent and as such can not be used as before, 
but can be used to test the linear consistency of the initial guess. If the previous 
analysis was extended, then one would get that n has to be bigger than 14.38 
and that the average complexity would hence increase, contrary to the intuition. 
Indeed, one can do better than that. Let initially n = 10, so that (4) is satisfied. 
One thus obtains the total of 1 + 3n + 4n/3 w 44.3 linearly independent equa- 
tions on average. Now, instead of guessing the next m « 19.02/3 bits on average 
in each of the LFSR sequences, we will build a tree structure to sequentially 
store all the possibilities for the next bits that are consistent with the additional 
linear equations. In each node of the tree one stores the next three input bits to 
the majority clock-control function such that the resulting clocking is consistent 
with the equations. This approach is in spirit similar to the inversion attack 
[8] on nonlinear filter generators. The average number of branches leaving each 
node would have been |'4-l-l-8 = 5ifit were not for the additional equa- 
tions. They on average reduce this number to 2.5. The required depth of the 
tree should on average be 4m/3 to obtain the next m guessed bits in each of the 
LFSR sequences. So, instead of 2^”* possibilities for the next m bits, we have 
to check only 2.5^“^^ « w 2**-^® possibilities on average, under the rea- 

sonable independence assumption valid for the so-called supercritical branching 
processes, see Theorem 6 from the Appendix. The overall complexity is then 
230+11.16 24116. For comparison, suppose that the clock-control bits are used 

to produce the output, that is, n = T 2 = tz — 1. Then, clearly, only the part 
of the process involving the tree applies and the overall complexity is minimum 
possible, that is, w 2®^-*®. 

To get the average number of trials needed to find the correct internal state 
5(101), one should in fact divide by two the complexity figures given above, e.g., 
24^-^® thus reduces to 24°-^®. 

3.2 Internal state reversion via clocking sequences 

In the second stage, our objective is to recover the initial LFSR states from 
5(101). In view of (3), this can be done by guessing the number of ones in 
individual binary clocking sequences, that is, the number of clocks needed to 
get 5,(101) from 5^(0), for each i = 1,2,3. According to Proposition 1, the 
underlying probability distribution is binomial with the average number of clocks 
0.75 ■ 101 « 76 and the standard deviation 0.25 • \/303 w 4.35, for each of the 
LFSR sequences. If the search is organized in order of decreasing probabilities 
for each of the LFSR sequences independently, the number of trials required 
to find the correct numbers of clocks is with high probability not bigger than 
about 1Q4 and is at worst about 10®. For each guess, one first recovers 5,(0) 
from 5i(101) by backward linear recursion, for each i = 1,2,3, and then tests 




246 



the guess by running the keystream generator forwards to obtain S(lOl). Note 
that multiple solutions for 5(0), if they exist, are all obtained by checking all 
« 10® possibilities for the clocking sequences, for any possible 5(101) obtained 
in the first stage. This number can clearly be reduced by assuming the mutually 
constrained rather than independent clocking sequences for individual LFSRs. 
In any case, reconstructing the initial state 5(0) from 5(101) is much faster than 
obtaining 5(101) itself. 

4 Time-Memory Trade-OfF Attack 

As was already explained in the previous section, the first 64 successive output 
bits of A5, (y(t))®£o, represent a vectorial boolean function of 64 initial state 
bits 5(0) such that the number of different initial states 5(0) producing the 
same 64-bit initial output block is in most cases only 1 or a very small integer. 
In fact, since the initial 101 output bits are not used for the keystream, the 
initial state bits 5(0) should be confined to the 2®* values achievable by 5(1) 
which are easily characterized. As a consequence, for any observed 64 succes- 
sive keystream bits, one can find all the preceding internal states yielding these 
bits either by exhaustive search over all reachable internal states requiring 2®^-®^ 
64-bit computations and bitwise comparisons or by only one table lookup requir- 
ing 2®® ®^ 64-bit words of memory to store the inverse of the vectorial boolean 
function considered. The inverse function, with multiple preimages if they exist, 
is found and stored in 2®® ®^ precomputation time. Let the time and memory 
required in these two extreme cases be denoted as T = 2®® ®®, M = 1 and T = 1, 
M = 2®®’®^, respectively. Is any meaningful time-memory trade-off based on the 
birthday paradox possible? 

Assume that the objective is to recover the preceding internal states for 
any observed 64 successive keystream bits in the known plaintext scenario. Each 
known keystream sequence of effective length 228 bits provides 102 w 2® ®^ 64-bit 
blocks, and, due to the very small keystream sequence length, it is very likely that 
the cryptanalyst knows either all 228 bits or none of them. So, any time-memory 
trade-off solely based on these 102 keystream blocks is meciningless. However, we 
may consider a sample of all the keystream sequences corresponding to different 
initial states (secret message keys) derived from K (at most 2®®) different known 
public keys and a single secret session key. The reconstruction of any internal 
state corresponding to a particular public key is then meaningful if if < 2®® and 
if it leads to the recovery of the secret session key, which can then be used to 
decrypt the ciphertexts obtained from the remaining public keys. 

Let the cryptanalyst form a table of M possibly multiple 64-bit words defining 
the reachable initial states corresponding to a random sample of M different 64- 
bit output blocks, and let the table be then sorted out with respect to the output 
blocks, which are also stored. Multiple preimages are all obtained by the internal 
state reversion given a known output, in 0(M) time, see Subsection 5.2. The 
required precomputation time for sorting is M logM or, approximately, just M 
if the logarithmic factor, smaller than 64, is neglected. Altogether, the required 




247 



precomputation time is thus 0{M). By the standard birthday paradox (used in 
rneet-in-the-middle attacks), it then follows that with high probability at least 
one of the 102 • if keystream blocks in the observed sample will coincide with 
one of the output blocks used to form the table if 

102-if-M > 2®^-^^ (5) 

where a small multiplicative constant is neglected for simplicity. The time T 
needed to find such a keystream block is 102- A' -log M or simply 102 if neglecting 
the logarithmic factor. Then only one table lookup gives the desired internal 
state(s). So, the time-memory trade-off is possible with T ■ M > 2®^ ®^ and T < 
102 • 2^^. For example, if A" = 2*®, then the time and memory required are T w 
2^1 and M w (in 128-bit words), respectively, and the precomputation 

time is 0(M). In an extreme case, when K = 2^^, we get T ~ 2^^ ®^ and 
M w 2^® « 862 Gbytes, but the secret session key to be determined can then 

only be used to decrypt ciphertexts obtained from the remaining half of the 
public keys. 

A more general approach for the cryptanalyst would be to analyze the traffic 
corresponding to L different sessions for each out of N users. This increases the 
sample size (and time) to 1Q2 K L N , so that further reduction in M is possible, 
which makes the attack quite realistic. In this case, a particular user whose 
secret session key is to be determined is not known in advance. This, of course, 
does not make a difference if the objective is cloning rather than decryption. 
Even more generally, one may also allow that K be maximum possible, 2^^, if 
the cryptanalyst is capable of attacking the algorithm that combines the secret 
master key of a user and a public random 128-bit key into the secret session 
key. Namely, the determined session key may be useless for decryption, but may 
be used for the secret master key reconstruction with devastating consequences 
regarding both decryption and cloning. 

The time-memory trade-off attack described clearly applies to arbitrary key- 
stream generators, and is feasible in the case of A5 because of its relatively short 
memory size of only 64 bits. It yields an internal state of A5 at a known time 
and is meaningful when coupled with a cryptanalytic attack to be introduced in 
the next section which gives all the candidates for the secret session key. If the 
internal state is determined at time 101 < t < 151, then the attack consists in 
the reversion of the internal state to S(lOl) based on known output, then to 5(0) 
when the output is not known (due to the first 100 output bits discarded), and 
finally to the secret session key when the known public key is incorporated. If 
the internal state is determined at time 315 < t < 365, then the attack consists 
in the reversion of the internal state to 5(315) based on known output, then to 
5(214) when the output is not known, and the rest is the same as in the first case 
with 5(214) as the internal state. Note that possible multiple solutions are all 
obtained. Multiple candidates for the secret session key are then easily reduced 
to only one, correct solution by comparing a small number of already known 
keystream sequences with the ones generated from the assumed candidates and 
known public keys. 




248 



5 Internal State Reversion via Branching 

The objective of the internal state reversion attack to be described in this section 
is to find all the secret session keys that combined with a known public key give 
rise to a given internal state at a known time. All the internal states at a known 
time that are consistent with a known keystrearn sequence can be obtained either 
by the basic internal state reconstruction attack from Subsection 3.1 or by the 
time-memory trade-off attack from Section 4. 

The performance of the attack is analyzed by the theory of critical and sub- 
critical branching processes and its time and space complexities are thus shown 
to be both small. Extensive computer experiments on nonlinear filter generators 
regarding the so-called generalized inversion attack [9] (where the whole internal 
state is recovered starting from its finite input memory part in a way similar to 
the internal state reversion) show that the size of the generated search trees can 
be well described by the theory of branching processes. 

5.1 Unknown output 

Given an internal state S{t) at time t, t > 1, S{t) € <Sq, the objective of the 
reversion attack when the output sequence is not known is to determine all the 
internal states S{t') at a given previous time t' < t that produce S{t) at time 
t by the state-transition function, whereas the output sequence is not consid- 
ered at all. For the reversion to work, the state-transition function, T, must 
be easily computable in the reverse direction. Letting denote the reverse 
state-transition function, .F”^(5(t)) denotes the set of all S{t — 1) such that 
^{S{t — 1)) = 5(f). The reversion attack then consists in the recursive compu- 
tation of the reverse state-transition function starting from 5(f) and up to 5(f'). 
The internal states obtained can all be stored as nodes in a tree with t -t' + 1 
levels where the initial level, n = 0, has one initial node representing 5(f), and 
the level n, 1 < n < t — t' , contains the nodes representing all possible 5(f — n) 
giving rise to 5(f). The end nodes thus give all the desired internal states S(t'). 
The main problem here is to estimate the size of the trees arising from a random 
5(f), that is, the number of the nodes obtained at each level n if 5(f) is chosen 
uniformly at random, and especially if n is not small. 

The state-transition function of A5 is essentially determined by the clock- 
control sequence, see (1) and (3). Accordingly, the number of different states 
5(f — 1) in iT“^(5(f)) is derived by backward clocking from all the possibili- 
ties for C{t — 1) and hence only depends on the following six bits: the three 
bits (si_n (f), S2,T2(f), S3,rs(f)) which define the clock-control sequence at the cur- 
rent time f, C(f), and the three preceding bits in the regularly clocked LFSR 
sequences which, if min(ri , T2, T3) > 2, all belong to 5(f) and are given as 
(si ,Ti-i (f), .S2,T2-i(f), 'Ss.Ta 1 (f))- Denote these bits by Si,S2,S3 and 5^,82,53, 
respectively. 

Propositions. Let{i,j^k) denote a permutation of {1,2, Z) . Then the. following 
six events can occur: 




249 



— A : for any k, if s' = s'- ^ s'^. = Sk, then C{t — 1 ) = {*, j) 

- B : for any k, if s'- = s'j s'^ ^ Sk, then C{t - 1) can take no values 

- C : if s'^ = s '2 = s'^ = Si = S ‘2 = S 3 , then C{t — 1) = {1, 2, 3} 

— D : if s'l = s '2 = S 3 Si = S 2 = S 3 , then C(t — 1) can take every of the 

four values {1,2}, {1,3}, {2,3}, and {1,2,3} 

— E : for any k, if s'j = S 2 = S 3 = Sj = sj / s*, then C{t — 1) can take every 

of the two values {i,j} and {1,2,3} 

- F : for any i, if s'l = S2 = S3 = Si ^ Sj = Sk, then C{t — 1) can take every 

of the three values {i,jj, {i,fc}, and {1,2,3}. 

Proposition 4. If an internal state 5(f) is randomly chosen from So according 
to uniform distribution, then the number of solutions for 5(f — 1) is a nonnegative 
integer random variable Z with the probability distribution 

Pv{Z = 0} = ^, Pr{Z = l} = ^, 

Pr{^ = 2} = Pr{5 = 3} = ~, Pr{Z = 4} = 1 (6) 

It follows that the state-transition function of A 5 is not one-to-one and that 
the fraction of the internal states from 5 q not reachable in one step is 3/8 (they 
axe simply characterized by a set of three linear equations). Let {5(f — n)} 
denote the set of all the internal states/nodes at level n in the tree spanned by 
the reversion from a given 5(f), and let Z„ = l{5(f - n)}| and Vn = 

Both the time and space complexities of the reversion attack are determined by 
Y-n- Our objective now is to estimate how large and Y„ can be when 5(f) 
is randomly chosen. Of course, each particular 5(f) uniquely determines the 
tree (model M'), and if we assume that regularly clocked LFSR sequences are 
mutually independent and purely random (model M), then the tree is random 
rather than unique even when 5(f) is fixed. From the internal state reversion 
via the clocking sequences. Subsection 3.2, we know that in both the models 
Zn < n^ necessarily holds. The trees spanned in both the models are expected 
to be similar if the depth n is smaller than 4/3 of the period of the shortest 
LFSR, w I 2^®, which is when on average the LFSR sequences start to repeat 
themselves in model M'. 

Proposition 4 shows that the associated Gallon- Watson branching process, 
described in the Appendix, has the branching probability distribution defined by 
( 6 ), with the expected value and variance /r = 1 and = 9/8, respectively. The 
branching process is critical. The random trees produced by model M and by 
the associated branching process are not exactly the same, as random variables. 
The reason for this is that in the branching process the branching probability 
distribution for a given node is independent of the nodes at the same or the 
preceding levels (the history), whereas in model M there is a weak dependence 
between the nodes as a result of different internal states having some clock- 
control bits in common. This weak dependence affects the expected values and 
variances of both and F„, but insignificantly. 




250 



Consequently, if S{t) is uniformly distributed over <So, then in model M, 
in view of Theorem 6 from the Appendix, E{Zn) w 1, Var(Z„) ~ a^n, and 
Pr{Zn > 0} « 2/(<T^n), where = 9/8. So, the fraction of the internal states 
reachable in n steps is about 2/{a'^n). On the other hand, both the computational 
time and the storage required for the reversion attack are determined by the total 
number of nodes Theorem 7 from the Appendix then gives that E{Y„) ~ n 
and Var(y„) « (j^n^/3. In view of the Chebyshev’s inequality PrUVn — £^{Yn)l ^ 
e} < Var(y„)/e^, we then get that the total number of nodes y„ is with high 
probability 0{ri\/n) and the multiplicative constant is not big. Note that in the 
case of interest, n = 101, and the approximations are expected to be very good. 

It is also interesting to see how large and Y„ can grow when conditioned 
on the event that the internal state S{t) is reachable in n steps. We know that 
at least one such state results from both the basic internal state reconstruction 
attack and the time-memory trade-off attack. Theorem 8 from the Appendix 
yields that in this case E{Zn\Zn > 0) « (r‘^n/2 and Var(Z„|y„ > 0) w c7^n^/4. 
This means that the number of solutions for S{t — n) is with high probability 
linear in n, provided at least one such solution exists. As for the total number 
of nodes Y„, we noted in the Appendix that E{Yri\Zn > 0) = 0{a‘^n'^) and 
Var(y„|y„ > 0) = 0{a^n*), so that y„ is then with high probability 0{cr^n'^). So, 
for n = 101 both the time and space complexities are small, although somewhat 
bigger than in the case of a uniformly distributed S{t). 

The number, N, of starting internal states in the real reversion attack may 
be bigger than just one, but is still small, as will be shown in the following sub- 
section. The time complexity clearly increases proportionally with N, whereas 
the space complexity, determined as the maximum tree size over all the starting 
states, increases only logarithmically with AT, due to the exponential probability 
distribution (21) in Theorem 8 from the Appendix. 

5.2 Known output 

Given an internal state S{t) at time t, I > 1, S{t) e <Sq, the objective of the 
reversion attack when the output sequence is known is to determine all the 
internal states S{t') at a given previous time t' < t that produce S{t) at time t by 
the state-transition function as well as the known output sequence (j/(t — 0);=i • 
This reversion attack then goes along the same lines as the one when the output 
sequence is not known, with a difference that from each level in the tree spanned, 
the nodes whose internal states produce the output bits different from the one 
known are all removed. The size of the resulting tree is hence much smaller. 

The output bit produced from S{t — 1) at time t — 1 depends on the follow- 
ing six bits; (si,i{l),S 2 ,i(t),S 3 ,i(t)) and the preceding three bits in the regularly 
clocked LFSR sequences. They are denoted as Z\,Z 2 ,Z 2 and respec- 

tively. The produced output bit is then equal to z[ + z' -|- Zk if C{t — 1) = {*,/}> 
for any {i,j} (as usual, {i,j,k) is a permutation of (1, 2, 3)), and to z[ + Z 2 + z'^ 
if C{t — 1) = {1,2,3}. An analog of Proposition 3 can then be established, with 
a difference that in each of the given six events, C{t — 1) can take every specified 
value for which, in addition, the produced output bit coincides with the one 




251 



known, y{t — 1). If min(ri,T 2 ,T 3 ) > 3, one can then derive the following analog 
of Proposition 4. 



Propositions. If an internal state S{t) is randomly chosen from So according 
to uniform distribution, then the number of solutions for S{t — l) is a nonnegative 
integer random variable Z with the probability distribution 



Pr{Z = 0} = 



315 



Pr{Z = 1} = 



75 

256’ 



Pr{Z = 2} = 



128’ 



Pr{Z = 3} = 



5 

256’ 



Pt{Z = 4} 



1 

512' 



( 7 ) 



The probabilistic models M and M' are defined in the same way as be- 
fore, with a difference that the known output sequence is assumed to be either 
fixed or purely random and independent of the LFSR sequences. The depen- 
dence between the nodes in the trees produced by M and M', although still 
relatively weak, is stronger than before due to the six additional bits controlling 
the output. The associated branching process is now subcritical with p = 1/2 
and (7^ — 17/32. The results regarding the probability distribution, the expected 
values, and the variances for the random variables Z„ and y„ are then obtained 
analogously, by applying the parts of Theorems 6-8 from the Appendix relat- 
ing to subcritical branching processes. Consequently, we get that in model M, 
E{Zn) w 2“", Var(Z„) ss and Pr{Z„ > 0} « c2“”, where c is a 

positive constant that is obtained numerically as c = lim„_ 4 .oo 2" (l-/(")(0))« 
0.63036, where is the self-composition of the generating function f of the 
probability distribution defined by (7), see the Appendix. Also, E{Yn) « 1 and 
Var(y„) « 8 ( 72 . 

Conditioning on the event that the starting internal state is reachable in n 
steps, we get E{Zn\Z„ > 0) « 1/c « 1.586, Var(Z„|Z„ > 0) w jc — l/c^ « 
0.854, E{Yn\Zn > 0) = 0{n), and Var(y„|Z„ > 0) = 0{n^). The size y„ of 
the resulting tree is then 0{n) with high probability. In the case of interest, 
resulting from the time-memory trade-off attack, we have that n < 50, so that 
the obtained trees are very small, whereas the number of possible solutions for 
S{t — n) (5(101)) is with high probability only 1 or a very small positive integer. 



5.3 Secret key reconstruction 

Our goal now is to obtain all possible secret session keys from all the determined 
initial states 5(0) given a known public key p = (p(t))?==_ 2 i ■ Recall that the 
secret session key is in fact an internal state of the Initialization scheme, which 
works in the same way as the keystream generator A5, except that the public key 
is bitwise added, in 22 steps, into the feedback path of each of the LFSRs. Given 
an initial state 5(0), 5(0) G So, the objective of the secret key reconstruction 
attack is to determine all the internal states S{t') at the previous time P = — 22 
that produce 5(0) by the modified state-transition function S{t) = J-o{S{t — 
l):P(f))i “21 < t < 0, which also depends on the known public key sequence 




252 



p. The modified reverse state-transition function {S{t),p{t)) then consists 
of two stages: first, the bit p{t) is added to the last stage of each of the LFSRs 
and, second, the LFSRs are clocked backwards according to all possible values 
C{t — 1) for the clock-control sequence. 

It is readily seen that the secret key reconstruction can be achieved by the 
reversion attack when the output sequence is not known in which the reverse 
state-transition function is modified according to the public key p as explained 
above. Consequently, both the analysis based on the theory of critical branching 
processes and the conclusions derived remain valid for the secret key reconstruc- 
tion attack. Since now n = 22 instead of n = 101, the trees spanned are much 
smaller in size. Multiple solutions for the secret session key 5(-22) giving rise 
to the same S(0) are still possible, but their number is relatively small. All 
the resulting candidates for the secret session key are consistent with the used 
keystream sequence. These multiple candidates for the secret session key are 
then easily reduced to only one, correct solution by comparing a small number 
of already known keystream sequences with the ones generated from the assumed 
candidates and known public keys. 



6 Conclusions 

Several cryptanalytic attacks on a binary stream cipher known as A5 are pro- 
posed and analyzed. The objective of the attacks is to reconstruct the 64-bit 
secret session key from one or several known keystream sequences produced 
by different 22-bit (randomizing) public keys, in the known plaintext scenario 
which is shown to be very realistic in the GSM applications. A basic divide-and- 
conquer attack with the average computational complexity and negligible 

memory requirements is first introduced. It requires only about 64 known suc- 
cessive keystream bits and gives all possible LFSR initial states consistent with a 
known keystream sequence. A time-memory trade-off attack based on the birth- 
day paradox is then pointed out. The objective of the attack is to find the LFSR 
internal states at a known time for a known keystream sequence corresponding 
to a known public key. The attack is feasible as the internal state size of A5 is 
only 64 bits. 

To obtain the secret session key from the determined LFSR internal states, 
an internal state reversion attack is proposed and analyzed by the theory of 
critical and subcritical branching processes. It is shown that there typically exist 
multiple, but not numerous, candidates for the secret session key that are all 
consistent with the used keystream sequence. The unique, correct solution is 
then found by checking on a small number of additional keystream sequences. 
The secret session key recovered can be used to decrypt the ciphertexts obtained 
from the remaining public keys and, possibly, to mount a cryptanalytic attack 
on the secret master key of the user as well. 

A simple way of increasing the security level of the A5 stream cipher with 
respect to the cryptanalytic attacks introduced is to make the internal memory 
size larger. For example, doubling the memory size, from 64 to 128 bits, is very 




253 



likely to push the attacks beyond the current technological limits. Note that the 
secret session key size need not be increased to 128 bits. In addition, one can 
make the clock-control dependent on more than just a single bit in each of the 
shift registers by using a balanced nonlinear filter function applied to each of 
them individually. The inputs to the filter functions should be spread over the 
shift register lengths, respectively, and their outputs can be combined in the 
same way as in A5. This increases the complexity of the basic internal state 
reconstruction attack. 



Appendix 

Branching processes 

The so-called Galton- Watson process, see [10], [2], is a Markov chain {Z„}^o 
the nonnegative integers whose transition function is defined in terms of a given 
probability distribution initial random variable Zq takes value 1 

with probability 1, and for any n > 1, the random variable conditioned on 
Zn-i = i is the sum of i independent identically distributed random variables 
with the probability distribution {p;d^o- The process can be regarded as a 
random (finite or infinite) tree with Z„ being the number of nodes at level 
n > 0, where the number of branches leaving any node in the tree is equal to k 
with probability pk, independently of other nodes at the same or previous levels. 
The generating function characterizing the probability distribution of Z„ can be 
expressed as the self-composition of the generating function f{s) = 

which is the probability distribution of Zi. Precisely, if /*"^(s), 
0 < s < T denotes the generating function of the probability distribution of Z„ 
and if = s, then for every n > 1, /*'*^(.s) = 

The basic characteristic of a branching process is the expected number of 
branches leaving any node, that is, 

OO 

p = E{Z,) = Y^kpk- (8) 

Ar=0 

A branching process is called subcritical, critical, or supercritical if p < 1, p = 1, 
or p > 1, respectively. The extinction probability defined as the probability of a 
tree being finite is 1 for subcritical and critical (provided po > 0) processes and 
smaller than 1 for supercritical processes. We are here only interested in sub- 
critical and critical processes, whose main properties are given by the following 
theorem, see [2], [10]. Let <7^ = Var(Zx) be the variance of Z). 

Theorem 6. In the subcritical case, p < 1, for any n > 1, 



E(Zn) = 


( 9 ) 


Var(Z„) = 

1- p 


(10) 




254 



and if E{Zi logZi) < oo, then as n oo, 

Pr{Z„ > 0} ~ c/x" (11) 

where a constant c, 0 < c < 1, depends on the probability distribution of Zi. 

In the critical case, p = 1, if 0 < < oo, then for any n>l, 

E[Z^) = 1 (12) 

Var(Z„) = cr^n (13) 

Pr{Z„ >0} ~ (14) 

a^n 

The same equations (9) and (10) hold for supercritical processes too. It is also 
interesting to study the total number of nodes in a random tree up to level n, 
not counting the initial node, that is, the random variable T„ = for ^riy 

n > 1. Another random variables to bo considered are Z„ and Y), conditioned 
on the event {Z„ > 0} meaning that a random tree has depth at least n. 

Theorem?. In the subcritical case, p < 1, for any n > 1, 

E{Yn) = - M") ~ r-^ (15) 

1 - P 1 - 

2 2 
Var(y„) = ^j4^((l-;x'*)(l+M"+’)-2(l-Ai)n/r") ~ ^^4^.(16) 

In the critical case, p = I, if > 0, then for any n > 1, 

E{Yn) = n (17) 

2 2 

Var(y„) = ^n(rt+ l)(2n+ 1) ~ (18) 

0 o 

Theorems. In the subcritical case, p < 1, as n — > oo, the probability dis- 
tribution of Z„1{Z„ > 0} converges to a limit probability distribution, and if 
E{Zi logZi) < 00 , then 

lim E{Zn\Zn > 0) = - (19) 

n—ioo C 

lim Var(Z„lZ„ > 0) = — ^ Y \ ^^*1) 

n-^oo Cp(l — p) 

where c is the same positive constant as in (11)- 
In the critical case, p = 1, if 0 < < oo, then 

lim Pr I — > z\Zn > ol = , 2 > 0, (21) 

n->oo [ n J 




255 



£;(Z„|Z„ >0) ~ yn (22) 

Var(Z„|Z„ >0) ~ yn^ (23) 

The probability distribution of the conditioned random variable y„|{Z„ > 0} 
is not treated in the standard books on branching processes like [10] and [2]. 
Nevertheless, the previous theorems and the results regarding the conditioned 
random variable | > 0} presented in [2] lead us to conclude that in the 

subcritical ca^e, E{Yn\Zn > 0) = 0{n) and Var(y„|Z„ > 0) = 0{n^), whereas 
in the critical case, E{Yn\Zn > 0) = O(a^n^) and Var(y'„|Z„ > 0) = 0(cr^n'*). 



References 

1. R. J. Anderson, Internet communication. 

2. K, B. Athreya and P. E. Ney, Branching Processes. Berlin: Springer- Verlag, 1972. 

3. J. Daemen, R. Govaerts, and J. Vandewalle, ’’Resynchronization weakness in syn- 
chronous stream ciphers,” Advances in Cryptology - EUROCRYPT ’92, Lecture 
Notes in Computer Science, vol. 765, T. Helleseth ed., Springer- Verlag, pp. 159- 
167, 1994. 

4. J. Dj. Golic and M. J. Mihaljevic, ”A generalized correlation attack on a class of 
stream ciphers based on the Levenshtein distance,” Journal of Cryptology, vol. 
3(3), pp. 201-212, 1991. 

5. J. Dj. Goli6, ”On the security of shift register based keystream generators,” Fast 
Software Encryption - Cambridge ’93, Lecture Notes in Computer Science, vol. 
809, R. J. Anderson ed., Springer- Verlag, pp. 90-100, 1994. 

6. J. Dj. Golid, ’’Towards fast correlation atta.cks on irregularly clocked shift regis- 
ters,” Advances in Cryptology - EUROCRYPT ’95, Lecture Notes in Computer 
Science, vol. 921, L. C. Guillou and J.-J. Quisquater eds., Springer- Verlag, pp. 
248-262, 1995. 

7. J. Dj. Golic, ’’Linear models for keystream generators,” IEEE Trans. Computers, 
vol. C-45, pp. 41-49, Jan. 1996. 

8. J. Dj. Golic, ”On the security of nonlinear filter generators,” Fast Software Encryp- 
tion - Cambridge ’96, Lecture Notes in Computer Science, vol. 1039, D. Gollmann 
ed., Springer- Verlag, pp. 173-188, 1996. 

9. J. Dj. Golic, A. Clark, and E. Dawson, ’’Generalized inversion attack on nonlinear 
filter generators,” submitted. 

10. T. H. Harris, The Theory of Branching Processes. Berlin: Springer- Verlag, 1963. 

11. R. Menicocci, ’’Cryptanalysis of a two-stage Gollmann cascade generator,” Pro- 
ceedings of SPEC ’93, Rome, Italy, pp. 62-69, 1993. 

12. R. A. Rueppel, ’’Stream ciphers,” Contemporary Cryptology: The Science of Infor- 
mation Integrity, G. Simmons ed., pp. 65-134. New York: IEEE Press, 1991. 

13. B. Schneier, Applied Cryptography. New York: Wiley, 1996. 

14. S. Shepherd and W. Chambers, private communication. 




Lower Bounds for Discrete Logarithms and 
Related Problems 



Victor Shoup 

IBM Research-Ziirich, Saumerstr. 4, 8803 Riischlikon, Switzerland 
shoOzur ich . ibm . com 



Abstract. This paper considers the computational complexity of the 
discrete logarithm and related problems in the context of “generic 
algorithms” — that is, algorithms which do not exploit any special prop- 
erties of the encodings of group elements, other than the property that 
each group element is encoded as a unique binary string. Lower bounds 
on the complexity of these problems are proved that match the known 
upper boimds; any generic algorithm must perform group oper- 

ations, where p is the largest prime dividing the order of the group. Also, 
a new method for correcting a faulty Diffie-HeUman oracle is presented. 



1 Introduction 

The discrete logarithm problem plays an important role in cryptography. The 
problem is this: given a generator ^ of a cyclic group G, and an element in 
G, determine x. A related problem is the Diffie-Hellman problem: given and 
, determine 5 ®^. 

In this paper, we study the computational power of “generic algorithms” — 
that is, algorithms which do not exploit any special properties of the encodings 
of group elements, other than the property that each group element is encoded 
as a unique binary string. For the discrete logarithm problem, as well as several 
other related problems, including the Diffie-Hellman problem, we present lower 
bounds that match the known upper bounds for these problems. We also give a 
new method for correcting a faulty Diffie-Hellman oracle. 



Generic Algorithms 

Let Z/n be the additive group of integers mod n, and let 5 be a set of bit strings 
of cardinality at least n. An encoding function of Z/n on S is an injective map 
a from Z/n into S. 

A generic algorithm A for Z/n on 5 is a probabilistic algorithm that behaves 
as follows. It takes as input an encoding list (a{xi ), . . . , <j{xk)), where each Xi is 
in Z/n, and cr is an encoding function of Tijn on 5. As the algorithm executes, it 
may from time to time consult an oracle, specifying two indices i and j into the 
encoding list, and a sign bit. The oracle computes a{xi ± Xj), according to the 
specified sign bit, and this bit string is appended to the encoding list (to which 
A always has access). The output of A is a bit string denoted A(cr; zi, . . . , Xk). 



W. Fumy (Ed.): Advances in Cryptology - EUROCRYPT ’97, LNCS 1233, pp. 256-266, 1997. 
© Springer-Verlag Berlin Heidelberg 1997 




257 



Note that the algorithm A depends on n and S, but not on a; information 
about a is only available to A through the oracle. 

To measure the running time of such an algorithm, we count both the number 
of bit operations, and the number of group operations (i.e., oracle queries). 

It is readily seen that the classical Pohlig-Hellman algorithm [8] is a generic 
algorithm. Let p denote the largest prime divisor of n. Assuming the strings 
in 5 have a length that is polynomial in logn, this algorithm has a running 
time of p^/^(logn)*^(^), and this bound holds uniformly for all possible encoding 
functions. Note that this algorithm makes essential use of the fact that group 
elements are uniquely encoded as bit strings, which facilitates the use of fast 
sorting-and-searching techniques . 

Pollard’s discrete logarithm algorithm [9] also falls into this generic class. 
This algorithm is much more space efficient than the Pohlig-Hellman algorithm, 
but its efficiency relies on the heuristic assumption that the encoding function 
behaves like a random mapping. 

As an example, consider the multiplicative group (Z/g)* for a prime q, to- 
gether with a generator g for this group. Here, n = g — 1, and the relevant 
encoding function sends a e Z/n to the binary encoding of mod q. 

Of course, not all algorithms for the discrete logarithm problem are generic. 
Index-calculus methods for (Z/g)*, for example, do not fall in this category, 
and our results have no bearing on such algorithms. For groups associated with 
elliptic curves, however, the only known algorithms for discrete logarithms are 
generic. Our results imply that for elliptic curves, one cannot substantially im- 
prove upon the Pohlig-Hellman algorithm using generic algorithms: some method 
must be devised to exploit the particular representation of group elements. 



Summary of Results 

In §2 we consider the discrete logarithm problem. Theorem 1 says that any 
generic algorithm that solves (with high probability) the discrete logarithm prob- 
lem on Z/n must perform at least group operations, where p is the largest 

prime dividing n. The theorem shows that for any algorithm, there must be an 
encoding function for which it makes 0[p^^^) queries to the group oracle; we 
do this by showing that this must hold for a random encoding function, and a 
random input. 

Theorem 2 deals with the analog for the discrete logarithm problem in non- 
cyclic groups, which was suggested to the author by Buchmann [3]. Suppose G 
is the product of r cyclic groups of prime order p. Then any generic algorithm 
that (with high probability) expresses a given element on a given basis for G 
must perform at least group operations. 

In §3 we consider the Diffie-Hellman problem. Theorem 3 proves the analog 
of Theorem 1 for the Diffie-Hellman problem. 

Theorem 4 shows that if the group order is divisible by only large primes, 
then it is hard to simply determine which of two possible solutions is correct. 

Theorem 5 deals with the problem of solving the Diffie-Hellman problem 
in subgroups. Suppose we are given an oracle for solving the Diffie-Hellman 




258 



problem in a group G, and now want to solve the Diffie-Hellman problem in 
a proper subgroup H. This problem is interesting, as it plays an important 
role in Maurer’s [5] and Boneh and Lipton’s [2] reductions from the discrete 
logarithm problem to the DifEe-Hellman problem; they require DifEe-Hellman 
oracles for prime-order subgroups. Theorem 5 implies that in the context of 
generic algorithms, there are situations where the oracle for G does not help at 
all in solving the problem in H . 

In §4 we consider the security of an identification scheme due to Schnorr 
[10] based on the discrete logarithm problem. While this scheme is known to be 
secure against “passive” attacks, its security against “active” attacks is not well 
understood. Theorem 6 shows that this scheme is indeed secure against active 
attacks when the adversary is a generic algorithm. 

In §5 we consider a quite different problem: given a faulty oracle for the Diffie- 
Hellman problem, how to make it highly reliable? One reason that this problem is 
interesting is that the reductions of Maurer and Boneh/Lipton mentioned above 
require reliable oracles. That is, these reductions say that if Diffie-Hellman is 
“easy," then the discrete logarithm is “easy.” However, in proving the security of 
a cryptosystem based on the Diffie-Hellman problem, one normally assumes that 
this problem is “hard.” The above reductions do not allow one to directly weaken 
this to an assumption that the discrete logarithm is “hard” : that a problem is 
not “hard” does not imply that it is “easy”. For this, one must solve precisely 
the problem we address; making a faulty oracle reliable. 

In light of our Theorem 4, standard techniques for amplifying correctness do 
not apply to the Diffie-Hellman problem. Theorem 7 and its corollary show how 
to efficiently turn an oracle that is occtisionally correct into one that is almost 
always correct. The theorem is also useful in the application of the Goldteich- 
Levin theorem to hard bits of the Diffie-Hellman problem. 

Related Work 

Babai and Szemeredi [1] proved lower bounds in a “black box” model in which 
the encoding of group elements is not necessarily unique, and the group oracle 
must be consulted to test for equality. For a cyclic group of order n, if p is the 
largest prime divisor of n, their results give an f7(p) lower bound. Note that the 
Pohlig-Hellman algorithm does not work in this model. 

More recently, Nechaev [7] considered algorithms for the discrete logarithm 
problem in the following computational model: an algorithm is allowed to per- 
form group operations and equality tests, but no other operations on group 
elements are allowed — the notion of encodings of elements does not enter into 
this model at all. While the above 0{p) lower bound still applies to the total 
running time, Nechaev proves an lower bound on the number of group 

operations alone. These bounds match a variant of the Pohlig-Hellman algorithm 
in which only linear searching techniques are used. 

One can view our results as an extension of Nechaev’s results to a broader 
and more natural class of algorithms, and to a wider range of problems related 
to the discrete logarithm problem. 




259 



For the problem of correcting a faulty Diffie-Hellman oracle, Maurer and Wolf 
[6] independently devised a scheme based on techniques quite different from ours. 
It seems that our scheme is substantially simpler and more efficient than theirs. 

2 The Discrete Logarithm Problem 

The main result of this section is the following. 

Theorem 1 Let n be a positive integer whose largest prime divisor is p. Let 
S C {0, 1}* he a set of cardinality at least n. Let A be a generic algorithm for 
Z/n on S that makes at most m oracle queries. If x £ Tijn and an encoding 
function a are chosen at random, then the probability that A{a-,l,x) x is 
0{rn^/p). 

Note that the above probability is taken over the random choices of cr and x, 
as well as the coin flips of A. The theorem implies that for any algorithm, there 
exists an encoding function a for which it succeeds with probability 0{m^/p), 
taking the probability over x and the coin flips of >1. If we insist that A succeed 
with probability bounded away from 0 by a constant, this translates into a lower 
bound of n{p^f^) on the number of group operations. 

To prove this and several other theorems, we need the following lemma. 

Lemma 1 Let p be prime and let t > 1. Let F{Xi,...,Xk) e Z/p^[Xu-..,Xk] 
be a nonzero polynomial of total degree d. Then for random x\, . . ,,Xk G Z/p*, 
the probability that F{xi, . . . , x^) = 0 is af most d/p. 

Proof. For f = 1, this is proved in Schwartz [11]. For t > 1, one divides the 
equation F = 0 by the highest possible power of p, and obtains a nonzero 
equation of no greater degree that holds modulo p. If Xi , . . . , x* are chosen from 
Z/p* at random, then their images in Z/p are random as well, and so we can 
apply the result for t = 1. □ 

We now sketch the proof of Theorem 1. Let n = p’^s, where (p, s) = 1. Instead 
of letting the algorithm interact with the actual oracle, we play the following 
game. Let X be an indeterminant. At any step in the game, the algorithm has 
computed a list Fi, . . . , Fk of linear polynomials in Z/p*[X], along with a list 
z\, . . . ,Zk of values in Z/s, and a list cti, . . . , cr* of distinct values in S. At the 
beginning of the game, k = 2, Fi = 1 and F 2 = X; zi = 1 and Z 2 is chosen 
at random; cri and 02 are chosen at random, subject to ai ^ ct 2. When the 
oracle is given two indices i and j, we append new values Fk+uZk+i,crk+i to 
the appropriate lists as follows. We compute Fk+i = ± Fj £ Z/p*[A‘] and 

Zk.{-i — Zi dz Zj € Z/s. If Ffc+i = F; and Zk+i = zi for some I with 1 < 1 < A;, we 
set (7k+i = (Ti \ otherwise, we set 47*+ 1 to a random element in S distinct from 

(7i, . . . , (T;.. 

When the algorithm terminates, it outputs some y £ Zjn. Let 3/ be the 
image of y in Z/p‘. Now we choose a random x £ Z/p*. We say the algorithm 
wins the game if Fj(x) = Fj(x) for any Fi ^ Fj or if x = y' . 




260 



Fixi, j with Fi ^ Fj, and set F — Fi — Fj. Now, since F ^ 0, and degi^ < 1, 
then by Lemma 1, the probability that F{x) = 0 is at most 1/p. Likewise, the 
probability that x = y' is at most 1/p. It follows that the probability that the 
algorithm wins the above game is 0(m^/p). 

To finish the proof, one must only observe that the behavior of this game 
differs from an actual interaction between the algorithm and oracle only when 
the algorithm wins the above game. Therefore, the probability that the algorithm 
outputs the correct answer is bounded by the probability that the algorithm wins 
the above game. 

To make the above argument completely rigorous, one can easily construct 
a single probability space that is shared by both the actual interaction and the 
above game, such that 

(1) the shared probability space does not change the behavior of either the actual 
interaction or the above game, and 

(2) in this shared space, the event that A outputs the correct answer in the 
actual interaction is contained in the event that A wins the above game. 

The details of this are quite straightforward, and are omitted. That completes 
the proof of Theorem 1 . 

We now consider a variation of the discrete logarithm problem that applies 
to non-cyclic groups. 

Suppose that G=Z/px-xZ/pis the product of r cyclic groups of order 
Pi where p is prime. The input consists of the encodings of the unit vectors 
cj, . . .,6^1 along with the encoding of an element (ki, . . . , ir) 6 G. The output 
should be (xi, . . . , a:^). Here, an encoding function is an injective map u from G 
into some set S of at least p'" bit strings. The following theorem establishes an 
f?(p’'/^) lower bound for this problem with respect to generic algorithms. Note 
that a simple generalization of the Pohlig-Hellman algorithm gives a matching 
upper bound. 

Theorem 2 Let A he a generic algorithm for G on S for the above problem that 
makes at most m oracle queries. If {x\, . . . , Xr) G G and an encoding function a 
are chosen at random, then the probability that 

^(cr;ei, . . ,,e,., (xi, . . .,x^)) = (xi, . . . ,x^) 

IS 0{m^ /p^). 

The proof is similar to that of Theorem 1. We sketch the differences. Let 
Xi, . . . ,Xt be indeterminants. We play the same game as before, but instead of 
a list of polynomials, we maintain a list of r-tuples, each of which has the form 



(aJCi + 6i , aX2 + ^2 > • • • > aX.^ + i'r ) 1 

where a, 61, . . . , 6r G 'Ljp. The key observation is that when we add or subtract 
(component- wise) two r-tuples of this form, we get an r-tuple of the same form. 




261 



Also, by Lemma 1, the probability that a nonzero r-tuple of this form vanishes 
when Xi, . . ,,Xr are substituted with random values is at most 1/p’'. The rest 
of the proof goes as before. 

One can easily extend the above theorem to an arbitrary finite abelian group 
G = Z/ni X ■ ■ ■ X "Z/rir, obtaining a lower bound of where p is a prime 

and k is the number of moduli rii divisible by p. 

3 The Diffie-Hellman Problem 

In this section, we prove a lower bound for the Diffie-Hellman problem. 

Theorem 3 Let n be a positive integer whose largest prime divisor is p. Let 
S C {0, 1}* be a set of cardinality at least n. Let A be a generic algorithm for 
Z/n on S that makes at most m oracle queries. If x,y G Tjjn and an encoding 
function a are chosen at random, then the probability that A(cr; l,x,y) = cr{xy) 
IS 0{rn? /p). 

The proof of this is similar to that of Theorem 1. We may assume that the 
output of A is one of the encodings obtained from the oracle, since otherwise 
the success probability is bounded by l/(p — m). We play precisely the same 
game as there, except that we maintain a list of polynomials Fi in the variables 
X,Y over Z/p^, where each polynomial has total degree 1. When the algorithm 
terminates, we pick x,y G T^jp*' at random, and we say that the algorithm wins 
the game if Fi[x,y) = Fj{x,y) for some Fi ^ Fj, or if Fi{x,y) = xy for some 
i. Applying Lemma 1, for fixed i,j, the probability that Fi — Fj vanishes is at 
most 1/p, and for fixed i, the probability that Fi — XY vanishes is at most 2/p. 
It follows that the probability that the algorithm wins this game is 0{mf /p). 

That completes the proof of Theorem 3. 

When n is divisible by only small primes, just determining which of two 
possible answers is the correct one is hard. 

Theorem 4 Let n be a positive integer whose smallest prime divisor is p. Let 
S’ C {0, 1}* fee a set of cardinality at least n. Let A be a generic algorithm for 
Z/n on S that makes at most m oracle queries. Let x,y,z E Z/n fee chosen at 
random, let a be a random encoding function, and let b be a random bit. Also, 
let Wo = xy and wi — z. Then the probability that A(cr; 1, z:, p, u;;,, u)i_b) = fe is 
1/2 4- 0{rn^ ! p). 

We sketch the proof. We play a similar game as before, this time maintain- 
ing a list of polynomials Fi{X,Y,U,V) over Z/n of total degree 1, assigning 
to each distinct polynomial a distinct random encoding. We say the algorithm 
wins the game if for any Fi -f Fj, we have Fi(x,y,xy,z) = Fj(x,y,xy, z), or 
Fi[x, y, z, xy) = Fj(x, y, z, xy). For a fixed Fi Fj, the polynomial Fi — Fj must 




262 



be nonzero modulo some prime power 5 * that exactly divides n. Since the im- 
ages X, y, and z in Z/q* are also uniformly distributed, by Lemma 1, the above 
condition holds with probability at most 4/q < 4/p. Thus, the probability that 
the algorithm wins the game is 0{m? fp). Moreover, it is clear that in the actual 
interaction between the algorithm and the oracle, the probability that the algo- 
rithm determines b is bounded by 1/2 plus the probability that the algorithm 
wins the above game. 

We close this section with a look at the following question. Suppose we have 
a cyclic group G, and we have an oracle for the DifRe-Hellman problem in G. 
Can we use this oracle to solve the Diffie-Hellman problem efficiently in a proper 
subgroup H? It is not difficult to see that if lG|/|if|) is divisible only by 
small primes, then this problem can be solved efficiently. More specifically, if p 
is the largest prime dividing (|i/|, |G 1 /|JT|), the problem can be solved in time 
p'-'^^(logn)°C). The following theorem shows that this bound is essentially tight, 
and thus for large p the problem can not be solved efficiently using a generic 
algorithm. 

To study this problem, we extend the notion of a generic algorithm so as 
to include a Diffie-Hellman oracle: given indices i and j, the oracle computes 
a[xi ■ Xj). The output of such an algorithm A is denoted by Adu{ct; ®i, . . . , a;*). 

Theorem 5 Let n be a positive integer, and let I be a divisor of n such that for 
some prime p, I = I'p’ , n — n'p‘, and < > s > 0. Let S C {0, 1}* be a set of 
cardinality at least n. Let A be a generic algorithm for Z/n on S that makes at 
most m oracle queries. If x £ Z/n and an encoding function cr are chosen at 
random, then the probability that AoHio", l,lx,ly) = a{lxy) is 0{{t/s) ■ m^/p). 

We sketch the proof in the case V — n' = \. The more general case is dealt 
with as in Theorem 1. Let d = [f/s] — 1. We play the usual game, this time 
maintaining a list of polynomials Fi{X,Y) in the variables X and Y over Z/p'^ , 
each of which has the form 

^p^'= ^ a.,rYL 

k=0 i+j=k 

The key observation is that when we add, subtract, or even multiply two poly- 
nomials of this form, we get a polynomial that is also of this form. When the 
algorithm terminates, we select x,y E Zfp^ at random, and the algorithm wins 
the game if for some F{ Fj, Fi{x, y) — Fj[x, y) or for some i, Fi{x,y) = p‘xy. 
By Lemma 1, this happens with probability at most G(dm^/p). 

4 Analysis of an Identification Scheme 

An identification scheme is an interactive protocol that allows one party P to 
prove its identity to another party V . To do this, P has a public key, which is 
known to all parties, and a private key, which is known only to himself. 




263 



Such a scheme is considered secure if an adversary can not feasibly make V 
believe it is conducting the protocol with P. One can allow the adversary to 
first interact with P, pretending to be V (but not not necessarily following Vs 
protocol), in order to gain some information about P’s secret key that will be of 
use in its impersonation attempt. Such an attack is called “active.” An attack 
where no prior interaction with P is allowed is called “passive.” Clearly, security 
against active attacks is preferable to security against passive attacks. 

An identification scheme due to Schnorr [10] runs as follows. Let G be a 
cyclic group of order n, with a publicly known generator g. P’s private key is an 
element x G Z/n, and its pnblic key is h = p®. The value x is randomly chosen. 
In the first step of the protocol, P generates r € 'Lin at random, computes 
h! = g’^ , and sends h' to V. Upon receiving h' , V chooses e G Z/n at random, 
and sends e to P. Upon receiving e, P computes y = r + xe G Z/n and sends 
y to V. Upon receiving y, V checks that g^ = h'h^. If this identity holds, V 
accepts; otherwise, V rejects. 

In his paper, Schnorr shows that this protocol is secure against passive at- 
tacks, assuming the discrete logarithm is hard. We prove that the scheme is 
secure against a active adversary that behaves as a generic algorithm. 

Theorem 6 Consider the above identification scheme in a generic setting; that 
IS, there is an encoding function a mapping elements ofLjn into a set S of bit 
strings. Suppose that the adversary makes no more than m interactions with P 
or queries to the group oracle, and that cr is chosen at random. Suppose also that 
the private key x is chosen at random. Then the probability that the adversary 
successfully impersonates P is 0{m^/p), where p is the largest prime dividing n. 

The above probability is taken over cr, x, and the coin tosses of all of the 
players. In proving this theorem, we allow the adversary to interact with several 
instances of P in parallel — we do not require that one interaction ends before 
the next one begins. 

We sketch the proof for n — p\ the more general case is dealt with as in 
Theorem 1. 

We use the same type of game argument that we used in proving the other 
theorems, but with a few changes. In this game, we maintain a list of degree 1 
polynomials Fi{X, Ri, R 2 , . . . , Rm) in m + 1 variables over Z/p, corresponding 
to the group elements the adversary has seen so far, along with a corresponding 
list of random encodings. 

Initially, the list of polynomials contains the two polynomials 1 and X. When- 
ever the adversary starts an interaction with P for the kth time, we add the 
polynomial Rk to the polynomial list, and a distinct random encoding to the list 
of encodings. Whenever the adversary consults the group oracle, we add to the 
polynomial list the sum of the appropriate polynomials; we either either re-use 
an encoding or generate a distinct random encoding, as appropriate. 

Now suppose the adversary sends a challenge e to the Ith instance of P. In 
our game, we do the following: we choose y G Z/p at random, and send y to the 
adversary as the response from P; we also go through our list of polynomials 




264 



and substitute y — eX for the variable Ri wherever it appears. If upon making 
this substitution any two distinct polynomials in the list become equal, we quit 
and we say the adversary wins. Otherwise, we continue the game. 

Now suppose the adversary attempts an impersonation. Without loss of gen- 
erality, we may assume the adversary has completed all interactions with P that 
it started. So it has collected a list Fi, . . . , Fm+2 G Z/p[X] of polynomials along 
with a list of encodings. In the first step of the protocol, the adversary presents 
the encoding of some group element corresponding to one of these polynomials, 
say Fi- Next V chooses e G Z/p at random. If Fj -|- eX is a constant polynomial, 
we quit and say the adversary wins. Otherwise, the adversary chooses y G Z/p. 
Finally, we choose x G Z/p at random, and we say that the adversary wins if 
y = Fi(x) + ex or if Fi(x) = Fj(x) for any Fj yf Fj. 

That completes the description of the game. First observe that the behavior 
of this game deviates from that of the actual interaction only if the adversary 
wins the game. So it suffices to bound the probability that the adversary wins 
the game. It is relatively straightforward to show that this is 0(m^/p). One 
observation to bear in mind is the following. When making a substitution y — eX 
for a variable Rj,, one need only count pairs of polynomials Fj ^ Fj such that 
Fj — Fj G Z/p[X, Ffc] and the coefficient of Rk is nonzero. But note that if we 
count this pair when substituting for Ffc, we will not count this pair when we 
later make a substitution for some other Ri . Thus, the total number of pairs we 
need to count is 

5 A DifRe-Hellman Self-Corrector 

In this section, we consider the following problem. Let G be a cyclic group 
of order n with generator g. Suppose we have a “faulty” oracle for the Diffie- 
Hellman problem; that is, given y** and , the oracle outputs g'^ , such that 
c = ab (mod n) with probability at least «. We take this probability to be over the 
random choice of a and 6 mod n, and any coin tosses of the oracle. Here, e is small, 
but nonnegligible. The problem is to use this oracle to build an efficient algorithm 
for the Diffie-Hellman problem whose output is almost certainly correct for all 
inputs. One motivation for this problem is again the reductions of [5] and [2] from 
the discrete logarithm problem to the Diffie-Hellman problem; these reductions 
require a nearly-perfect oracle — a faulty oracle will simply not do. 

Given such an oracle, using the standard random self-reduction, we can run it 
0(1/ e) times so that with high probability one of its outputs is correct. However, 
as we have seen, in the generic model we have no hope of determining which 
output is correct. 

We consider the following, more general, problem. We define a (k,S) Diffie- 
Hellman oracle as follows: for all inputs g‘^,g^, it produces a list of k elements 
in G such that this list contains with probability at least i. The problem is 
to use this oracle to solve the Diffie-Hellman problem. 

Another situation in which this type of oracle arises is in the hard-bit con- 
struction of Goldreich and Levin [4] , where a bit-predicting oracle can be turned 
into this type of oracle. 




265 



Theorem 7 Given a {k,6) Diffie- Heilman oracle with S y 7 /8, we can construct 
a probabilistic (generic) algorithm for the Dijfie- Heilman problem with the fol- 
lowing properties. For given a, withO < a < 1, the algorithm makes 0(log(l/a)) 
queries to the {k,S) oracle, and performs an additional 0(log(l/a)Ailogn + 
(logn)^) group operations. For all inputs, the output of the algorithm is cor- 
rect with probability at least I — a. 

As an immediate corollary, we have; 

Corollary 1 Given a faulty Diffie- Heilman oracle that has a success probabil- 
ity of e, we can construct a probabilistic algorithm for the Diffie- Heilman prob- 
lem with the following properties. For given a, with 0 < a < 1, the algorithm 
makes log(l/a)) queries to the faulty oracle, and performs an additional 

log(l/a) logn + (logn)^) group operations. For all inputs, the output of 
the algorithm is correct with probability at least 1 — a . 

To prove Theorem 7, we assume that n is known, and that for all prime 
factors p of n, k^/p < 1/8. If this does not hold, we can partially factor n, and 
apply the Pohlig-Hellman algorithm to the “smooth” part. A straightforward 
calculation shows that this takes 0(A:logn + (logn)^) group operations. So we 
can assume that n is of the desired form. 

For given g^,g^ , the following algorithm either reports failure, or outputs a 
single value g'^ . The algorithm makes two queries to the (A:, tS) oracle and performs 
an additional 0{k log n) group operations. The probability that it reports failure 
is at most 3/8. The conditional probability that g'^ ^ given that it does not 
report failure, is 2/7. The Diffie-Hellman algorithm then simply runs the above 
algorithm 0(log(l/a)) times, taking the majority of the non-failure outputs. 

We call the {k,^') oracle twice, first with g‘^,g^, obtaining a list gi,...,9k 
of group elements. Next, we choose k, y € {0, . . . , n — 1} at random, and send 
{g‘^Yg^ ,g^ to the {k,5) oracle, obtaining a list y^, ■ ■ .,g'j^ of group elements. Next, 
for all 1 < z < /s and 1 < J < we test if 

( 1 ) 

If (1) is satisfied for a unique pair {gi,g'j), we output y,; otherwise, we report 
failure. Note that standard sorting-and-searching techniques can be used to make 
this last step efficient. 

The claimed running-time bound is easily verified. We now analyze its cor- 
rectness. Let z — ax -\-y. Fix i and j, and suppose gi = and g) = y'*. Suppose 
c ~ ah (mod n). Then (1) is satisfied if and only if and d= zb (mod n). Now sup- 
pose c ^ ab (mod n). Then for some prime power p^ that exactly divides n, we 
must have c ^ ab (mod p‘). In this case, the probability that (1) holds is at most 
the conditional probability that for random x,y mod p*^ , cx by = d (mod p‘), 
given that ax -i- y = z (mod p‘). This is equal to the probability that for fixed z 
and random x, {c — ab)x + bz — d = 0 (mod p*), which is by Lemma 1 at most 

1/p. 




266 



There are three mutually exclusive events of interest: the algorithm either 
(F) reports failure, (I) produces an incorrect output, or (G) produces a correct 
output. 

Pr[F] + Pr[J] is bounded by the probability that one of the lists does not 
contain a correct output, or that any extraneous relations (1) hold. This happens 
with probability at most 1/8 + 1/8 + ^^/p < 3/8, 

Pr[J] is bounded by the probability that one of the lists does not contain 
a correct output. This is because if both lists contain a correct output, any 
extraneous relations (1) that hold will cause the algorithm to report failure. 
This probability is thus bounded by 1/8 + 1/8 = 1/4. 

It trivially follows that Pr[F] is bounded by 3/8. Moreover, by a simple 
calculation, Pr[/]/(Pr[/] + Pr[(7]) is bounded by 2/7. 

References 

1. L. Babai eind E. Szemeredi. On the complexity of matrix group problems I. In 25th 
j4unual Sympos%um on Foundations of Computer Science, pages 229-240, 1984. 

2. D. Boneh and R. J. Lipton. Algorithms for black-box fields and their application 
to cryptography. In Advances in Cryptology-Crypto '96, pages 283-297, 1996. 

3. J. Buchmann, 1995. Personal communication. 

4. O. Goldreich and L. A. Levin. A hard-core predicate for all one-way functions. In 
21st Annual ACM Symposium on Theory of Computing, pages 25-32, 1989. 

5. U. Maurer. Towards the equivalence of breaking the DifRe-Hellman protocol and 
computing discrete logarithms. In Advances in Cryptology-Crypto '94, pages 271- 
281, 1994. 

6. U. Maurer and S. Wolf. Diffie-Hellman oracles. In Advances in Cryptology-Crypto 
'96, pages 268-282, 1996. 

7. V. I. Nechaev, Complexity of a determinate algorithm for the discrete logarithm. 
Mathematical Notes, 55(2);165-172, 1994. Translated from Matematicheskie Za- 
metki, 55(2):91-101, 1994. 

8. S. Pohlig and M. Heilman. An improved algorithm for computing logarithms over 
GF(p) and its cryptographic significance. IEEE Trans. Inf. Theory, 24:106-110, 
1978. 

9. J. M. Pollard. Monte Carlo methods for index computation mod p. Mathematics 
of Computation, 32:918-924, 1978. 

10. C. Schnorr. Efficient signature generation by smart cards. J. Cryptology, 4:161- 
174, 1991. 

11. J. T. Schwartz. Fast probabilistic ^llgo^ithms for verification of polynomial identi- 
ties. J. ACM, 27(4):701-717, 1980. 




stronger Security Proofs for 
RSA and Rabin Bits 

R. Fischlin and C.P. ScHNORR 

Fachbereich Mathematik/Informatik 
Universitat Frankfurt 
PSF 111932 

60054 Frankfurt/Main, Germany 



Abstract. The RSA and Rabin encryption function are respectively 
defined as En{x) = i* mod N and £>r(ar) = mod N, where A is a 
product of two large random primes p, q and e is relatively prime to 
q>{N). We present a much simpler and stronger proof of the result of 
Alexi, Chor, Goldreich and Schnorr [ACGS88] that the following 
problems are equivalent by probabiUstic polynomial time reductions; (1) 
given En(x) find x; (2) given En(x) predict the least-significant bit 
of X with success probability ^ , where N hcis n bits. The new 

proof consists of a more efficient algorithm for inverting the RSA/Rabin- 
function with the help of an oracle that predicts the leaist-significant bit 
of X. It yields provable security gu«krantees for RSA-message bits and for 
the RSA-random number generator for moduli N of practical size. 



1 Introduction 

Randomness is a fundamental computational resource and the efficient genera- 
tion of provably secure pseudorandom bits is a basic problem. Yao [Y82] and 
Blum, Micali [BM84] have shown that perfect random number generators 
(RNG) exist under reasonable complexity assumptions. Some perfect RNG’s 
are based on the RSA-function Eff{x) — mod N and the Rabin-function 
£J;v(a;) = x^ mod N, where the integer IV is a product of two large random primes 
p, q and e is relatively prime to <p{N) = (p— 1)(? — 1). The corresponding RNG 
transforms a random seed xq € [1,N) into a bit string <>i, . • .,6m of arbitrary 
polynomial length m = according to the recursion Xi := £'jvr(a;,_i) , 6,- := 

Xi mod 2, where N has n bits. The security of these RNG’s is related to a result 
of [ACGS88] that the RSA/Rabin-function can be inverted in polynomial time 
if one is given an oracle which predicts from given £’at(x) the least-significant bit 
of X with success probability ^ -|- While the ACGS-result shows that the 

RSA/Rabin RNG is perfect in an asymptotic sense the practicality of this re- 
sult has been questionable as the transformation of attacks against these RNG’s 
into a full inversion of the RSA/Rabin-function (resp. the factorization of N) is 
rather slow. 

The main contribution of this paper is a much simpler and stronger proof 
of the ACGS-result. The new proof gives a more efficient algorithm for the in- 
version of the RSA/Rabin-function if one is given an oracle that predicts the 



W. Fumy (Ed.): Advances in Cryptology - EUROCRYPT ’97, LNCS 1233, pp. 267-279, 1997. 
© Springer-Verlag Berlin Fleidelberg 1997 




268 



least significant message bit. While the new method is primarily of theoretical 
interest, it yields a security guarantee for moduli N of practical size. We extend 
our results to the Rabin-function Eff(x) = mod N. The reduction from En- 
inversion, resp. factoring N , to prediction is particular efficient for the absolute 
Rabin-function E^(x) = \x^ mod N\, where |t/| = min(j/, N — y). 

Notation. Let N be product of two large primes p, q. Let TLn = TLjNTL be the 
ring of integers modulo N , and let 7L*fj denote the subgroup of invertible elements 
in 2Z jv ■ We represent elements x E TLm by their least nonnegative residue in the 
interval [0,AT), i.e., ZZ;v = [0,W). We let [aa;]Ar G [0, A^) denote the least non- 
negative residue of aa;( modi'/). We use [ax]jv for arithmetic expressions over TL 
while the arithmetic over a, x G TLs — [0, N) is done modulo N . Let n be the bit 
length of N, < W < 2". For x G Z we let £{x) = x mod 2 denote the least- 
significant bit of X. Let e be relatively prime to ip(N) = [p— 1)(5 — 1), e ^ 1. The 
RSA cryptosystem enciphers a message x e7Zn into En{x) — x® mod N. Let Oi 
be an oracle running in expected time T which, given Eff{x) and N, predicts the 
least-significant bit £{x) of x with advantages; Pr^ u,[Oi(£^jv(x)) = f(x)] > ^+£, 
where the probability refers to random x Gn [0, N) and the internal coin tosses 
w of the oracle. We assume that the time T of the oracle also covers the steps 
for the evaluation of the function Ef^. Throughout the paper we assume that 
and n are powers of 2, n > 2®. We let Ig denote the logarithm function with base 
2. For a finite set A let 6 Gh A denote a random element of A that is uniformly 
distributed. All time bounds count arithmetic steps using integers with lg(ne“^) 
bits. We use integers of that size for counting the votes in majority decisions. 

Our results. Consider the problem to compute from (x) and N the message 
X G 2Zjv with the help of the oracle 0\ but without knowing the factorization of 
N. The new method inverts E^ by iteratively tightening approximations uN of 
random multiples [ax];v with known multiplier a via binary division. The basic 
idea is that [^ax]^ = ^ [ax]Ar for even [ax]jv> ^ ([ax]jv -t- N) for 

odd [ax]jv. Thus we get from a rational approximation uN to [ax];v and the 
least-significant bit £(ax) a tighter approximation to [^ax];v : 

[iox]jv - |(« + f(ax))A = i ( (axjAT - wA ). 

Without knowing x we get ^(u + £(ax))N from the multiplier a, the previous 
approximation uN and jSat(x). This in turn yields E/\f{ax) = E]g(a)Eff{x) and 
a guess Oi(A 7 v(ax)) for £{ax). Binary division without an oracle has alre£idy 
been used by Goldwasser, Micali, Tong [GMT82], The method of binary 
division is more efficient than the gcd-method in [BCS83], [ACGS88]. In order to 
decipher £'jv(x) it guesses the least-significant bits and approximate locations of 
two random multiples [ax]jv, [6 x]at whereas the gcd-method requires four random 
multiples. Most importantly, the number of oracle calls becomes nearly minimal. 

In section 2 we present our basic algorithm that inverts the RSA-function En 
in expected time 0(n^e"^ T -f where T is the time and e the advantage of 

oracle 0\ . The expectation refers to the internal coin tosses of Oi and of the in- 
version algorithm. This greatly improves the [ACGS88]-time bound 0(n^e“®T) 
for oracle RSA- inversion. The new time bound differentiates the costs induced by 
the oracle calls and the additional overhead. The oracle calls induce 0{n^s~^ T) 




269 



steps, we call the 0(n^e“®) other steps the additional overhead. We generalize 
our security result to the j-th least-significant message bit for arbitrary j. This 
generalization affects only the additional overhead of £^-inversion, the number 
of oracle calls remains unchanged. 

In section 3 we introduce the subsample majority rule, a trick that improves 
the efficiency of majority decisions. Suppose we are given pairwise independent 
0,1-vaIued votes that each has an advantage e in predicting the target bit £{atx). 
A large sample size m is necessary in order to make the error probability 
of the majority decision sufficiently small. To reduce the computational costs of 
the large sample we only use a small random subsample of it. While the random 
subsample induces only a small additional error probability the time for the 
subsample majority decision reduces to the size of the small subsample. The 
large sample is only mentally used for the analysis, it does not enter into the 
computation. Using this trick we gain a factor in the number of oracle calls 
and in the time for the inversion of £’jv- The reduced number of oracle calls is 
optimal up to factor O(lgn). 

In section 4 we process all possible locations for [uxJtv, much faster 
than trying them separately. This reduces the additional overhead in the time 
for RSA-inversion to lg(ne~*)). 

In section 5 we give conclusions for the security of RSA-message bits and 
of the RSA-random number generator for moduli N of practical size. These 
conclusions are preliminary as the additional overhead can be further reduced. 

In section 6 we extend the oracle inversion algorithm to the Rabin-function 
En and we derive a security guarantee for the mod N generator under the 
assumption that factoring is hard. The oracle inversion of the absolute Rabin- 
function is as fast as that of the RSA-function . For the centered Rabin-function 
the inversion runs in time 0(ne"^ lg(ne“^)T). The latter improves the previous 
time bound 0{n^e~^^T) due to [VV84] in connection with [ACGS88]. 



2 RSA-inversion by binary division 

We introduce a novel method for inverting the RSA-function without know- 
ing the factorization of N if one is given an oracle Oi that predicts the least- 
significant message bit with non-negligible advantage e. The algorithm RSA- 
inversion is a simple version of the new method, that will be made more effi- 
cient by subsequent modifications. In order to invert En{x) it picks two ran- 
dom multipliers a,b and guesses the least-significant bits and the approximate 
locations for the message multiples [aa;];^, [6x]^. For a* := mod N it iter- 
atively constructs rational approximations utN so that |[ata;];v — UtNj < ^ 
for t = 1, ...,n. To this end it uses the method of binary division explained in 
the introduction. From the approximation u„N to [a„a;]jv we get the message 
X = a“^ [unN + |J mod N. The main work is to determine the bits i{atx) by 
majority decision using the oracle 0\ . 

The majority decision for £{atx) uses multipliers at -I- lUf-i -t- b that are 
pairwise independent. Recall that the arithmetic on a,b,x,at is done modulo N . 




270 



The algorithm determines an integer Wt,i that most likely satisfies the equation 
{at + iot-i + b)x — [atK]j\r + j[at_ia:]Af + — Wt,iN, in which case we call Wt,i 

correct. The i-th measurement guesses t{atx) by evaluating I for both sides of 
the latter equation. We guess t for the left hand side via the oracle 0\ and we 
use that the right hand side is linear in l{atx). The majority decision performs 
m = min{2‘, 2n]e~^ measurements, where m and the set of integers t is 
chosen as to optimize the trade-off between error probability and efficiency of 
the majority decision. The use of pairwise independent multipliers for majority 
decision is a crucial contribution of [ACGS88]. 



RSA-inversion 



1. INPUT En{x), N 

t := 0 ( t is the stage ), pick random integers a, b Er C [0, N), 

guess rational integers « G [0, 4e“^), [0,4e“^) satisfying 

|[a®]AT — uN| < %-iV, — vN\ < |N. 

Guess the least-significant bits t{ax), £(bx), uq := a, uq it. 

2. WHILE t < n DO 

t:—t+l, at := ^at-i mod N, ut ~ ^(ut-i + £(at-ix)), 
m := min{2‘, 2n}£"^. 

Am {* I |1 + 2i| < m}, Wt,i := [uj -h iut-i + for all t G Am. 



Majority decision 



z := G Am 

£(at®) ;= [0 if 2 > 
3. OUTPUT X :-a- 



Oi(£’Ar((at -b iat_i -f 6)x)) = 1 

i£(af_ix) A — Wt,%N mod 2 j 
^ and 1 otherwise ] END while 
^ [u„N -t- |J mod N 



Correctness. If £{atx) is always correctly determined the rational approxima- 
tion U(N to [a(x]Af tightens from stage / — 1 to stage < by a factor As 
o-t = 2 ‘^t-i mod N we have [o{x]jv = for even [atxj^r = 

|([at_ix]AT -f N) for odd [at_ix]jv- Hence 

[atx]jv-UtN = [atx]iv - |(ut-i +£(at-iJ;))N - |([at_ix]jv - Ut_iN). (1) 



Probability of success. We call Wt,i corrects 0 < [atx]jv-t-i[a{_ix]/v + [&a;]jv — 
< N . Correct Wt^i satisfy the equation (as N is odd we have —Wt^iN = 
wt^i mod 2) : £((of + iat-i -f- 6)x) =:: £(atx) -f- i£{at-ix) + £{bx) + Wt^i mod 2. 

In the majority decision we replace in this equation £{{at -f iat-i + &)x) by 
Oi{EN{{at + iat-i + i)x)), and we determine £{atx) so that the equation holds 
for the majority of the i G Am - The algorithm succeeds if step 1 guesses correct- 
ly and if the majority decisions for £(atx) are all correct. In this case we have 
|[a„x]/yr — UnNI < ^ and thus a„x = [wnN -f mod N and the output 

is correct. All probabilities refer to the random pair (a, 6) Gn and to the 

coin tosses of the oracle. We use the conditional probability for the case that we 
are in the right alternative, where step 1 guesses correctly and the bits £{atx) of 
previous stages have been correctly determined. 




271 



Error probability of Wt,i. Let us denote W( ■ = Ut + iut-i + d so that Wt,i = 
,J. In the right eilternative we have by iteration of equation (1) [ojxjjv — 
UjN — 2“-’( [ax]jv — uN ) for all j < t. Therefore and since + 2i| < 1 for 

i € Am we have 

j[atx]jv + i[at_ix]N + [6x]jv - w't,iN\ < |(2“'e^|l + 2i| + l)N < \N. 
Hence inj ,- is correct except that there exists an integer between fN and 
[atx]AT + j[ot_ix] 7 v + Therefore wt,i errs with probability at most By 

using the m integers i G Am instead of i = 1, m we save a factor 2 in |i| and 
in the error probability of wt,i- 



Error probability of the majority decision. The multipliers (| + i)a + 6 

i| < ^ min(p, 4 ) since the matrix of the 2 Zjv-linear 



are pairwise independent for 
1 

transformation 



I, i+i 
1,1+i 



has determinant j — i f: 0 mod N and (a, 6 ) 



is random in (ZZj^)^. A similar argument shows that the errors of the Wt^i for 
i G Am are pairwise independent if we are in the right alternative. The i-th 
measurement is correct iff 



Oi(.Bjv((at + iat-i + b)x)) = ^(atx) + i£(at-\x) + £(bx) + Wt,i mod 2 . 
This is the case if the oracle guesses correctly and Wtj is correct. The error of 
the i-th measurement can be dominated by 0 , 1 -valued random variables Xt with 
E[Ai] = E[Oi(Siv((at +tat-i + 6 )a:)) # ^((a( + iat-i + 6 )z)] -|- E[iyt,< errs] 
so that the are pairwise independent for i G Am> Hence E[A,j < 5 — 
|e, Var[Ai] < 

A majority decision is correct iff the majority of the m measurements is cor- 
rect. A majority decision errs only if ^ |^i where p ^ E[X,j. 

We apply Chebyshev’s inequality to the m pairwise independent error variables 
Xi with i G Am- 



Chebyshev ’s inequality. 

Pr[ I ^ E< I > 1^] < E, Var[A,](mfe)-2 < 

By m = min{2‘, 2n}e“^ the majority decisions for ^(atx) errs with probability 
^ for t < 1 4 -lg n and with probability ^ for t > 1 -l-lg n. The majority decision 
fort = 1, ..., nhaveerror probability 3 x 5 + (2n — Ig n)/(9n) < | + | = |- 

Running time. We give an upper bound for the expected number of steps 
required to compute x when given Eff{x) and N. We separately count the steps 
of the or£icle calls and the other steps which form the additional overhead. 

The oracle is queried about Ef({{at -f iot_i -I- b)x) for t = 1, ...,n for the 
i € Am - The oracle calls depend on a,b but not on u,v,£(ax),£{bx). So we keep 
a, b fixed while we try all possibilities for «, ..., £{bx).As the algorithm has success 
rate | and calls the oracle at most m < 2 ne“^ times per stage, there are in total 
at most 3 • 2n^e~^T oracle calls. 

Each majority decision contributes to the additional overhead at most 2ne“^ 
steps that are performed with all oracle replies given. The algorithm does not 
need the exact rational Ut + v and merely computes wt^i = [«t d-v-f using 




272 



lg(ne ^) + 0(1) precision bits from «( + n and iut-i- We see that the additional 
overhead is at most the product of the following factors 



1. of quadruples (u, u, ^(ax), f(6x)) 

2. # of stages n 

3. # of steps per majority decision 2ne~^ 

4. the inverse of the success rate 3 



Hence the additional overhead is at most 3-2^n^e and thus the expected time 
for the inversion of is 3n^e~^(2T + 

Using an oracle for the j-th least- significant message bit. The j-th least- 
significant message bit ij{x) is called secure if En can be inverted in polynomial 
time via an oracle Oj that predicts ij{x) when given En{x). Let oracle Oj predict 
tj (x) with advantage £ in expected time T. With the oracle Oj the RSA-inversion 
proceeds in a similar way as for j = Lit guesses initially Lj (ax), Lj(6x) 6 [OiS-’), 
the integers that consist of the j least-significant bits of [axjjv, A main 

point is that the majority decision for £j{atx) takes into account carry overs 
from the j — I least-significant bits. The equation 

Lj..i{{at + iat-i + b)x) + 2^~^£j{{at + iat-i + b)x) = Lj-i(atx) + 
iLj-i{at-ix) + Lj-i{bx) -|- 2^~^{ ij{atx) -|- i^j(af-ix) -|-^j(6x) ) —wtjN mod 2^ 

holds for correct Wtj. In order to predict ij(atx) we replace in this equation 
£j((ae -t- iat-i -4- 6)x) by Oj(Ei<f((at + *“t-i + b)x)) and we recover Lj_i((aj -f 
iat-i + b)x), Lj-i(atx) and Lj-i{at-ix) recursively from the initial values 
Lj{ax), Lj{bx), the approximate locations uN,vN and N. We choose £j(atx) 
so that the equation holds for the majority of i E Am ■ 

The time of the inversion algorithm does not change from the case j = 1 to 
arbitrary j, except that the factor under 1. increases to 2^-' 4^6“'^ as we have to 
guess Lj(ax), Lj{bx) E [0,2'’). Now the time bound for RSA-inversion via Oj is 
0{n‘^£~^{T -\-2^^e~‘*)) while it is 0(2^-’n^e“®T) for the ACGS-algorithm. There 
is a double advantage in the new time bound. The factor 2^^ decreases to 2^-’ and 
it only affects the additional overhead. The additional overhead can be reduced 
by the method in section 4 to 0(n^e~‘^ 

3 From pairwise to mutually independent votes. 

We introduce the subsample majority decision, a trick that reduces the number 
of oracle calls for RSA-inversion by a factor Ign/n. Suppose we have m pairwise 
independent 0,1-valued random variables (votes) Vi for i E Am that have ad- 
vantage £ in predicting the target bit £{atx). The error probability of a majority 
decision is so we need a large m to make this error small. To reduce the 
computational costs of the large sample we only use a small random subsample 
consisting of m' <§; m votes that are selected uniformly at random. Now the votes 
of the subsample are mutually independent, even though the original votes are 
merely pairwise independent, and their advantage e' is close to e. While the sub- 
sample induces only a small additional error probability exp(— 2m'e'^) the time 




273 



for the subsample majority decision is only m' . The large sample only appears in 
the mental error analysis, it does not enter into the computation. We can even fix 
a random subset A'^, C Am for all SMAJ-calls, where Am := {* I |1 + < m} 

as in section 2. Theorem 3 in section 4 uses such a fixed subset Am' ■ 

Subsample Majority Decision (SMAJ). Pick (i' (1 i/(m')) Gh (Am)”* 
and guess that f(ata;) is Vjy(i) > ^]- 

As in section 2 let Xi be the error of the vote V) so that E[A,] < ^ — |e- 
We denote /i = T ~ m Consider the case that 

\p' — p\ < which by Chebyshev’s inequality holds except with probability 

SMAJ-rule errs in this case only if ^ ^ 

fi' + For fixed values X{ with i G Am the variables . . . , A^.(m') ^.re 

identically distributed and mutually independent with mean value p' . So we use 

Bernstein’s law of large numbers. For random Gn (Am)"* ■ 

Pr[ Eili + 1^] < exp(-2(im'e)2). 

Proposition 1 . If the errors A, of the votes are pairwise independent and 
E[A,] < 5 — f e then SMAJ errs with probability at most + exp(— ^m'e^). 

Proof. If A^(i) > | we either have \p - p'\ > \e or X^(,) > 

p' + ^e. The first event has probability < and the second < exp(— 2m'(|e)^). 

RSA -inversion using the SMAJ-rule. Let us modify the stages t > 4 + lgn 
of RSA-inversion so that at these stages the SMAJ-rule is used with m = 2‘’£“^n 
and the multipliers at-fiat-i -|-6 with i G Am — at stages t < 3 + lgn the set Am 
is too small for SMAJ. We apply Proposition 1 with this m and m' = 2£“^lgn. 
Then |m'£^ =lgn> 1.4426 Inn, and thus a single SM A J-call at stage t >4-blgn 
fails with probability + n“^ < jE for « > 2®. All SMAJ-calls together 

fail with probability | -t- 1 = |. As the number of oracle calls and the additional 
overhead decrease by a factor Ign/n we get 

Theorem2. Using an oracle Oi that, given Ejv{x) and N, predicts i[x) with 
advantage e in time T, the RSA-/«nct«on En can be inverted in expected time 
9n(lgn)£-2(T + 2®£-^). 

A main point is that the number of oracle calls for RSA-inversion is at most 
9n£"^lgn, whereas the ACGS-algorithm requires (64)^^n^£“* oracle calls, 

where (64)^ ^ « 2^® We can further reduce the factor 9 in Theorem 2 by 
guessing upon initiation closer approximations uN, vN — this merely increases 
the additional overhead. On the other hand the number of oracle calls is nearly 
minimal. 

Oracle optimality. Goldreich [G96] observed that the number 9ne~^lgn of 
oracle calls in Theorem 2 is minimal up to a factor O(lgn). 




274 



4 Processing all possible locations together. 

We sketch a first step in reducing the additional overhead in the time for RSA- 
inversion. So far RSA-inversion processes all pairs of locations uN, vN separately. 
Together these pairs can be processed much faster. We simulate the algorithm 
RSA-inversion for fixed a, 6 and for all « G ^ [0,4e“^), u G | [0,4£~^) with 
all oracle replies Oi^t '■= Oi(EN({(it +i>)a:)) given. The majority decision 

sets t{atx) to 0 iff the equation (2) holds for the majority of the i G A^/. 

Oi,t = -t- -t- [ut + -t- *ut_ij mod 2. (2) 

The main work of RSA-inversion is to compute for all u G [0,2®ne~^) ,ut_i ;= 
2ut mod 1, all v, all t and / = {h,h) ■= (.({at-ix), £{bx)) G {0, 1}^: 

r{u,v,l,t) G I equation (2) holds with « = Ut, V, /, f}. 

This requires some technical algorithms and a tedious analysis that are contmned 
in the full version of this paper. A main point is to separate in equation (2) the 
influence of uj -f t; — we only use a few precision bits of U( -f u — and that 
of A key observation is that counting the i that satisfy equation (2) can 
easily be done simultaneously for Ut_i and U(_i -f | if we separately count even 
and odd i. By exploiting and extending these ideas we can prove 

Theorem 3, If all pairs (u,v) are processed together, the additional overhead in 
RSA-inversion requires at most expected time 0(n^e'"^ lg(ne“^)). 

The additional overhead in Theorem 3 can be further reduced. We can discard 
all pairs (u,v) for which r[u,v,l,t)/m' is not in the correct range of numbers 
that differ from | ±e by at most |e, where £ is the exact advantage of Oi - Thus 
we can restrict the set of pairs (u, u) to a small subset of ^ [0, 4e~^) x | [0,4e~*). 

5 Security of RSA-message bits and of the RSA-RNG. 

An important question of practical interest is how to generate efficiently many 
pseudorandom bits that are provably good under weak complexity ^sumptions. 
Provable security for the RSA-RNG follows from Theorems 2 and 3. Under the 
assumption that there is no breakthrough in algorithms for inverting the whole 
RSA-function Theorems 2 and 3 yield provable security for RSA-message bits 
and for the RSA-RNG for moduli N of practical size — n = 1 000 and n = 5 000. 

Practical security of RSA-message bits. For given En{x) it is impossible 
to predict £{x) with advantage within one MIP-year (3.16 • 10^^ instructions) 
or else the RSA-function En can be inverted faster than is possible by factoring 
N using the fastest known algorithm. For this we choose T := 3.16 • 10^®, n ;= 
1 000, e := As the 0-constant in Theorem 3 is about Theorems 2 
and 3 yield a time bound 3 ■ 10^^ for factoring N that is clearly smaller than 




275 



1025.5 ^ Ljvll, 1-9], the time for the fastest known factoring algorithm, see the 
next paragraph. 

Each of the 10 least-significant RSA-message bits is individually secure for 
RSA-moduli N with 1 000 bits. This is because we can — see the end of section 
2 — invert E/:/ in time 9nlg n£“^T + 0(n^e~'* lg(n£“^)) using an oraw:le Oj that 
predicts the j-th message bit £j(x). 

On the other hand the ACGS-result does not give any security-guarantee for 
moduli N of bit length 1 000, not even against one-step attackers with T = I, 
as 2i^ '^10003l00® « 8.5 ■ 10^° » 10^® ^ 

The fastest known factoring method. The fastest known algorithm for fac- 
toring N or for breaking the RSA cryptoscheme requires at least Tjvlg, 
steps, where Tjv[r,c] = exp{c- (In A)*'(lnln A) ^ ")• 1 .9] is the conjectured 

run time of the number field sieve method with Coppersmith’s modification us- 
ing several number fields [BLP93]. Factoring even a non-negligible fraction of 
random RSA-moduli N requires i 7 v[g. 1-9] steps by this algorithm. 

Practical and provably secure random bit generation. Let N = p ■ q he 
a random RSA-modulus with primes p,q, e an RSA-exponent and let xq Er 
[ 0, A). The RSA-RNG produces from random seeds (xq. A) the bit string b = 
(6i , . . . , bfrn'} as 

Xi = mod A, bi = Xi mod 2 for i = 1, . . . , m. 

A statistical test A rejects b at tolerance level e if for random a Er {0, 1}”* 

I Prt[A(6) = 1] - Pro[A(a) = 1] | > £. 

A tolerance level is considered to be sufficient for practical purposes. 

Theorem 4' Let the RSA-RAG produce from random seeds (xo,N) of length 
2n an output b = (bi, of length m. Every statistical test A, that rejects 

the output at tolerance level s, yields an algorithm that inverts the whole RSA- 
function E]\/ in expected time 9nlgn (m/e)^T(A) -t- 0(n^(m/e)^ Ig(nm/e) ) for 
a non-negligible fraction of N . 

Proof. Suppose the bit string b E {0, 1}"* is rejected by some test A in time 
T{A) and tolerance level e. By Yao’s argument, see eg. [K97, section 3.5, Lemma 
PI], and since the distribution of b is shift-invariant, there is an oracle Oi , which 
given En{x) and A, predicts £(x) in time T(A) -I- mn^ with advantage e/m for 
a non-negligible fraction of A. By Theorems 2 and 3, and assuming that T{A) 
dominates mn^, we can invert En in the claimed expected time. □ 



Corollary 5. The RSA-random generator produces for n = b 000 from random 
seeds (xq, A) of bit length 10"* at least m = 10^ pseudorandom bits that withstand 
all statistical tests doable with the 1995 world computing power at tolerance level 
or else the whole RSA-function En can be inverted in less than Ljvia. 1-9] 
steps for a non-negligible fraction of N . 




276 



Proof. Odlyzko rates the 1995 yearly world computing power to 3 • 10® MIP- 
years, where a MIP-year corresponds to 3.16 ■ 10^® instructions. Then 3 • 10® 
MIP-years correspond to 10^^ instructions. By Theorem 4 with a O-constant of 
2^® we can invert Eff using less than 10“*® steps while T;v[g, 1-9] > 3.7 • 10®°. □ 



6 The mod N generator and the Rabin-function. 

The mod N generator has been proved to be secure under the assumption 
that factoring integers is hard. Here we show that this even holds for moduli 
N of practical size. The mod N generator transforms a random seed (aro, N) 
into a bit string (6i, ..., 6^) as Xi := EN(xi-i), 6,- := f(*,) for i — 1, ..., m. 
Here En is the Rabin-function, is a random Blum integer — a product of two 
primes p,q that are congruent 3 mod 4 — and xq is a random number in 2Zjv. 
We distinguish three variants of this generator, the absolute, the centered and 
the uncentered RNG, according to the following variants of the Rabin-function: 

- the absolute Rabin-function E^(x) — \x'^ mod A^| £ (0, N/2), 

- the centered Rabin-function E^flx) — x^ mod N £ (—N/2.N/2). 

- the uncentered Rabin-function E'^(x) = x^ mod N £ [0, N). 

The centered function E% outputs x^ mod N. the absolute smallest residue 
of x^ modulo N in {—N/2, N/2) whereas E^ outputs the residue in [0,A^). 
Historically the uncentered RNG has been introduced as the x^ mod N generator 
[BBS86]. However, the absolute and the centered RNG coincide and are more 
natural than the uncentered RNG. We note that 

E%{x) = EMx) = ^Xr(x) € {£^(x), E%(x) + N}, 

where [t/l =min(y, — y) for y £ = [0, N’). Thus E% extends the output of 

by one bit, the sign. 



The absolute and the centered RNG coincide in the output. Let x“, xj, x“ 
denote the integer n in the i-th iteration with E’^, E^f, E^ and input xq — x^ = 
Xg = Xq - Using Eff{x) — ±£’^(x) we see by induction on i that X; = ±xf and 
t{x^) = x’i mod 2 - x“ mod 2 = f(x“). 

On the other hand the uncentered RNG is quite different. It outputs the 
xor of f(x?) and the sign-bit [xj > 0]. The uncentered RNG is less natural. 
Consider the group 2Z]^(-f-l) of elements in with Jacobi symbol 1. ZZj^(-fl) 
is a subgroup of of index 2 that contains the group QRn of quadratic 
residues modulo N. We see from —1 £ 1) \ QRf/ that E^ permutes the 

set 5jv = 7Z*ff{+l) n [1, A^/2), permutes the set QRn H {—N/2, N/2) and 
E'/i permutes QRn n (0, AT). The whole point is that Z]^(-(-l) can be decided 
in polynomial time whereas QRn may be difficult to decide. So E’f; permutes a 
nice set Sn whereas E^,E^ permute complicated sets. It comes as no surprise 
that we get better security results for the absolute/centered RNG than for the 
uncentered one. 




277 



Oracle inversion of the absolute Rabin- function. The algorithm RSA- 
inversion can be directly extended from the RSA-function to the permutation 
acting on Sn = ^/2)- This extension uses an oracle 0\ which given 

E^{x) and N predicts for random x € the bit i{x) with advantage e. A 

main point is that the majority decisions must use multipliers a = oj + iat~i + b 
in Zj^(+1) as we can only interpret the oracle for such inputs J?j\r(aa:) with 
X € On the average half of the multipliers a are in 7Z^{+1), the 

usable multipliers are nearly uniformly distributed, see[P92]. For compensation 
the inversion algorithm guesses initially an approximate location uN for [ax]jv 
of half the previous distance. This doubles the additional overhead, but does 
not affect the number of oracle calls. With these remarks Theorems 2 and 3 
extend from the RSA-function to the absolute Rabin-function Eff, Theorem 4 
and Corollary 5 extend from the RSA-RNG to the absolute/centered x^ mod N 
generator. The extended results prove security if factoring integers is hard, as 
the problems of inverting E^ and of factoring N are equivalent. 

Theorem 6. The assertions of Theorems 2 and 3 hold for the absolute Rabin- 
function E^ in place of the RSA-function E^. Theorems 4 and Corollary 5 hold 
for the absolute/centered mod N generator in place of the RS A- generator. 



Comparison with the muddle square method. It is interesting to compare 
the centered mod N generator with the randomized mod N generator pro- 
posed by Goldreich and Levin [GL89,L93]: iteratively square mod Af and 
output the scalar products 6,- = {xi,z) mod 2 for i = 1, m with a random bit 
string 2 . Following [GL89, L93] Knuth shows that N can be factored in expect- 
ed time 0{n'^e~'^m'^T{A) + n*e~^m^) for a non-negligible fraction of the N if 
we are given a statistical test A that rejects {b \, ..., 6m) at tolerance level e, see 
[K97, section 3.5, Theorem P]. This yields a security guarantee for the muddle 
square method that is similar to the one of Corollary 5. 



The problem of inverting of the (un)centered Rabin-function. Consider 
the permutations Ef^, E'ff acting on the set of quadratic residues. The problems 
of inverting E'f^ and E'ff are equivalent as we can easily transform one output 
into the other using that E^{x) — Eff(x) G {0,A}. We consider the oracle 
inversion of Ej^. The problem we face in the oracle inversion of E^f is that for 
given ±2/ ^ •io ^1°*' know which of ±y is in QRj^. A solution has 

been found by Vazirani and Vazirani [VV84]. We can determine the quadratic 
character of ±y using the oracle that predicts £{z) for the inverse image z G QRn 
with Epf{z) — ±y. 

Let Oi be an oracle which, given Ef.^{x) and N, predicts the least-significant 
bit of X G QRn with advantage e, Prj,^^[Oi(£'^(x)) = ^(a:)] > ^ -(- £ for x Gh 
QRn and the coin tosses w of Oi. The main problem in extending the RSA- 
inversion to the Rabin-function is that we can only use multipliers a = -t- 

iat_i -I- b that are in QRn as we can only interpret oracle values Oi{El;{dx)) 
with ax G QRn- QRn is a subgroup of ZZjy with index 4. 




278 



Let us first suppose that 2 is in QRn and that we are given ne~^ multipliers 
in QRn of each of the two types (^ + *)a + 6 and |(ia + 6). Hereafter we show 
how to get rid of this assumption. 

Inverting the centered Rabin-function. We describe how the algorithm dif- 
fers from RSA-inversion if 2 € QRn- 

Initially pick random a,b Eh Z]^and produce about ne~'^ quadratic residues 
of either type (| -|- i)a -|- b, ^{ia -|- 6) — with |1 -f 2»| < 4m£~^ — in QRn- On 
the average there are ne~^ residues in QRn of either type. Guess the closest 
approximations uN,vN to [aa:]jv, [6j;]jv with u € §7[0,2^e“^), v E |[0,4e“^). 

At stage t determine £{^ax) by majority decision using oracle 0\ and all sam- 
ple points -f »)a-|- 6 E QRn- Given we can in the same way determine 

using the sample points i(ta-|-6) in QRn - Then replace a, b by |a mod N, 
A 6 mod N and go to the next stage. The new sample points [i -+- ^)a -1- b and 
|(*a -t- b) are again in Q/ijv since we only divide by the quadratic residue 2. 

The case that 2 is a quadratic nonresidue. In this case we determine the 
quadratic residues (| -f i)a -f b and ^(»a -I- b) at stages t = \ and < = 2. We use 
the quadratic residues of stage 1 at the odd stages and the quadratic residues 
of stage 2 at the even stages. This is possible since we divide the residues by a 
power of 4 compared to stages 1 and 2. 

Determining quadratic residuosity. Suppose a 6 H^n Jacobi symbol 1, 
then we have a E QRn iff PG[Gi£^^(az) = t{dz)] > | -|- e for z 6^ QRn- This 
yields an oracle that predicts quadratic residuosity with advantage e. 

The algorithm for inverting the Rabin-function requires 0(ne“'* lg(ng“^)T) 
extra steps for the determination of the quadratic residues (| -|- i)a -f b, ^{ia -f 
b). There is an extra factor 4 induced by the density J of QRn in Sjy. To 
compensate for the smaller density the inversion algorithm guesses initially an 
approximate location uN for [ax]jv with ~ times the previous distance. We reduce 
the Eidditional overhead by the method of section 4. Assuming that T dominates 
n we get 

Theorem 7. The centered Rabin-function can be inverted in expected time 
lg(ne“^)r) with the help of an oracle that predicts £{x) with advantage 
e in time T when given N and E%{x). 

Conclusion. We have given a stronger security proof for RS A/Rabin bits. Our 
proof yields provable security for RSA-message bits, for the RSA-RNG and for 
the centered x^ mod N generator for moduli N of practical size, e.g. of bit length 
1 000 and 5 000. For the first time this yields provably secure and practical 
RNG’s under the assumption that factoring integers is hard. On the other hand 
there are more efficient and provably secure RNG’s based on stronger complexity 
assumptions, e.g. [MS91], [FS96]. 

Acknowledgement. We gratefully acknowledge the comments of D.E. Knuth 
and that of an anonymous referee that led to a considerably improved presenta- 
tion of the material. 




279 



References 



[ACGS88] 

[BCS83] 

[BBS86] 

[BLP93] 

[BM84] 

[FS96] 

[G96] 

[GL89] 

[GMT82] 

[HSS93] 

[K97] 

[L93] 

[MS91] 

[095] 

[P92] 

[R79] 

[RSA78] 

[VV84] 

[Y82] 



W. Alexi, B. Chor, O. Goldreich 2 ind C.P. Schnorr: RSA Jind Rabin Func- 
tions: certain parts are as heird as the whole. Siaun J. Comp. 17 (1988), 
pp. 194-209. 

M. Ben-Or, B. Chor and A. Shamir: On the Cryptographic Security of 
Single RSA-Bits. Proc. 15th ACM Symp. on Theory of Computation, 
April 1983, pp. 421-430. 

L. Blum, M. Blum amd M. Shub: A Simple Unpredictible Pseudo- Random 
Number Generator. Siam J. Comp. 15 (1986), pp. 364-383. 

J.P. Buhler, H.W. Lenstra, Jr. and C. Pomerance: Factoring Integers 
with the Number Field Sieve, in: The Development of the number field 
sieve, (Ed. A.K. Lenstra, H.W. Lenstra, Jr.) Springer LNM 1554 (1993), 
pp. 50-94. 

M. Blum and S. MicaJi: How to Generate Cryptographically Strong Se- 
quences of Pseudorandom Bits. Siaun J. Comp., 13 (1984), pp. 850-864. 
J.B. Fischer and J. Stem: An Efficient Pseudo-Random Generator Prov- 
ably ais Secure ais Syndrome Decoding. Proc. EUROCRYPT’96, Springer 
LNCS 1070 (1996) pp. 245-255. 

O. Goldreich: personaJ information at the Oberwolfaich workshop on Com- 
plexity Theory, November 10-16, 1996. 

O. Goldreich amd L.A. Levin: Haurd Core Bit for auiy One Way Function. 
Proc, of ACM Symp. on Theory of Computing (1989) pp. 25-32. 

S. Goldwaisser, S. Micali and P. Tong: Why amd How to Establish a Pri- 
vate Code on a Public Network. Proc. 23rd IEEE Symp. on Foundations 
of Computer Science, Nov. 1982, pp. 134-144. 

J. H&stad, A.W. Schrift auid A. Shamir: The Discrete Logarithm Modulo 
a Composite Hides 0(r») bits. J. of Computing and Systems Science 47 
(1993), pp. 376-404. 

D.E. Knuth: Seminumericad Algorithms, 3rd edn. Addison- Wesley, Read- 
ing, MA (1997). Also Amendments to Volume 2. Jauiuau-y 1997. 
http:// w w w-cs-staiff . Stainford.EDU /*uno/taiocp.html 

L. A. Levin: Randomness amd Nondeterminism. J. Symbolic Logic 58 
(1993), pp. 1102-1103. 

S. Micadi amd C.P. Schnorr: Efficient, Perfect Polynomiad Random Num- 
ber Generators. J. Cryptology 3 (1991), pp. 157-172. 

A.M. Odlyzko; The Future of Integer Factorization. CryptoBytes, RSA 
Laboratories, 1 (1995), pp. 5-12. 

R. Peralta: On the Distribution of Quadratic Residues amd Non-residues 
Modulo a Prime Number. Math. Comp., 58 

M. O. Rabin: Digitad signatures amd public key functions ais intractable ais 
faictorization. TM-212, Laboratory of Computer Science, MIT, 1979. 

R.L. Rivest. A. Shamir amd L. Adlemam: A Method for Obtaining Dig- 
itad Signatures amd Public Key Cryptosystems. Comm. ACM, 21 (1978), 

pp. 120-126. 

U.V. Vazirami amd V.V. Vazirami: Efficient amd Secure Pseudo-Random 
Number Generation. In Proc. 25th Symp. on Foundations of Computing 
Science (1984) IEEE, pp. 458-463. 

A.C. Yato: Theory and Application of Trapdoor Functions. Proc, of IEEE 
Symp. on Foundations of Computer Science (1982), pp. 80-91. 




Round-Optimal Zero-Knowledge Arguments 
Based on Any One-Way Function 



Mihir Bellare^ and Markus Jakobsson^ and Moti Yung^ 

^ Department of Computer Science & Engineering, Mail Code 0114, University of 
California at San Diego, 9500 Gilman Drive, La Jolla, CA 92093, USA. E-mail; 
mihirfics.ucsd.edu. URL: http://www-cse.ucsd.edu/uBers/mihir. 

^ Department of Computer Science &: Engineering, Mail Code 0114, University of 
California at San Diego, 9500 Gilman Drive, La Jolla, CA 92093, USA. E-mail: 

markusficE . ucsd . edu. 

® CertCo, New York, NY, USA. E-mail: motificortco.com. 



Abstract. We fill a gap in the theory of zero-knowledge protocols by 
presenting NP-arguments that achieve negligible error probability and 
computational zero-knowledge in four rounds of interaction, assuming 
only the existence of a one-way function. This result is optimal in the 
sense that four rounds and a one-way function are each individually 
necessary to achieve a negligible error zero-knowledge argument for NP. 



1 Introduction 

In a zero-knowledge (ZK) protocol, a prover P wants to “convince” a verifier V 
that some claim is true, without “revealing” any extra information [GMR]. In the 
theory of ZK protocols, researchers have looked at the complexity assumptions 
based on which protocols can be constructed, and the resources necessary to 
do so. Here we fill a gap in this area. Let us begin by explaining the various 
dimensions of such protocols. 

1.1 The big picture 

The interaction between P and V takes plaice on some common input x, and 
P is trying to convince V that x belongs to some underlying language L. The 
length of X is denoted n and one measures complexity in terms of n. The verifier 
is always a (probabilistic) polynomial time ailgorithm. Typically (and here) L 
is in NP. The system has two dimensions: “conviction” and “zero-knowledge.” 
Each can be formalized in one of two ways, a weak and a strong, depending 
on whether or not we restrict the aidversary involved to polynomial time. To 
describe these dimensions, we use a terminology from [BCY] (which they credit 
to Chaum). 

Degrees of conviction. Conviction is about “soundness.” If x ^ L we ask 
that no matter how the prover behaves, it cannot convince V to accept, except 
with low probability (called the error probability, and denoted €(•)). This has 
been formalized in two ways: 



W. Fumy (Ed.): Advances in Cryptology - EUROCRYPT ’97, LNCS 1233, pp. 280-305, 1997. 
© Springer-Verlag Berlin Heidelberg 1997 




281 



— Statistical conviction: This is the notion of [GMR]. Even a computationally 
unrestricted prover should be unable to make the verifier accept x ^ L, 
except with probability e(n). Protocols providing this strong degree of con- 
viction are usually called “proofs.” 

— Computational conviction: This is the notion of [BrCr, BCC]. A prover re- 
stricted to (randomized) polynomial time should be unable to make the 
verifier accept x ^ L, except with probability e(n).* (But a more powerful 
prover might succeed in making the verifier accept with high probability.) 
Although weaker, this kind of soundness is good enough for cryptographic 
protocols. The soundness will tj^ically depend on the assumed intractability 
of some computational problem, like factoring or computing discrete loga- 
rithms. Protocols meeting this condition are usually called “arguments.” 

Degrees of zero- knowledge. Roughly, the zero-knowledge condition of [GMR] 
asks that when x £ L, the transcript of an interaction between the prover and 
a verifier yield no information (other than the fact that z 6 T) to an adver- 
sary who gets to examine the transcript. Again, this Eidversary may be weak or 
strong: 

— Statistical ZK: Even a computationally unrestricted adversary will not get 
useful information out of a transcript, except with low (negligible) proba- 
bility. Protocols meeting this are usually called SZK. 

— Computational ZK: A (randomized) polynomial time adversary will not get 
useful information out of a transcript. (But a computationally unrestricted 
adversary might.) This will be the case when the transcript contains encryp- 
tions of sensitive data, which are useless to a polynomial time adversary, 
but can be opened by an unrestricted one. This type of ZK is usually called 
CZK and, although weaker, is good enough for cryptographic protocols. 

We clarify that this discussion is very informal. The definitions talk of the indis- 
tinguishability of ensembles. (See Section 2.4.) We also don’t make perfect ZK 
a special case, considering it included as a sub-case of statistical. 

A NOTE ON completeness. In addition, a basic completeness condition is al- 
ways required. It a.sks that if i G L then there is a strategy via which the prover 
can make V accept. The definition of [BrCr, BCC] asks (as appropriate for a 
cryptographic protocol) that this be efficiently achievable; if P is given a witness 
for the membership of x in the NP language L then it can mcike V accept in 
pol 3 Tiomial time. The definition of [GMR] does not make such a requirement. 
However, all known proofs (statistically convincing) for NP languages do meet 
this efficient completeness requirement, so we won’t discuss it further, assuming 
it always to be true. 

A NOTE ON PROOFS OF KNOWLEDGE. One usually zJso wants that when x G L, 
the ability of a prover to convince V to Jiccept should be indicative of “knowl- 
edge” of a witness. Like soundness, in proofs it holds for turbitrary provers and 
in arguments for pol 3 momial time ones. (The notion was suggested in [GMR], 

^ This description masks some subtleties. See Definition 2 and the following discussion. 




282 



and an appropriate form£tlization has emerged in [BeGo]. See Section 2.3 for 
more.) Again, we will not discuss it further here, concentrating just on the two 
dimensions mentioned above. 

Four kinds of protocols. Since the dimensions discussed above are orthog- 
onal, we get four kinds of protocols: 

• CZK arguments: Computationally convincing, computational ZK. The weak- 
est kind, but still adequate for cryptographic protocols. For example the 
arguments for all of NP in [BrCr, BCC] when a standard bit commitment 
is used. 

• CZK proofs; Statistically convincing, computational ZK. For exaunple the 
proofs for all of NP in [GMW]. 

• SZK arguments: Computationaliy convincing, statistical ZK. For example 
the arguments for all of NP in [BrCr, BCC] when a discrete logarithm 
based bit commitment is used; also [NOW]. 

• SZK proofs; Statistically convincing, statistical ZK. The strongest kind, but 
not possible for all of NP unless the polynomial time hierarchy collapses 
[Fo]. But there are examples for special languages: quadratic residuosity 
and its complement [GMR]; graph isomorphism and its complement [GMW]; 
constant round SZK proofs for quadratic residuosity and graph isomorphism 
[BMOl]. 

1.2 Complexity measures and optimality 

Recall that the error-probability is the probability e(-) in the soundness con- 
dition, whether in a proof or an eirgument. Most atomic ZK protocols have 
constant error. But one really wants low error. A standard goal is to make the 
error negligible. (That is, a function vanishing faster than the reciprocal of any 
polynomial.) We will have the saune goal. 

Complexities to minimize. Theoretical research in ZK proofs has focused on 
achieving this low error while trying to minimize other complexity measures. 
Two main ones are: 

• Rounds; The round complexity is the number of messages exchanged, or 
roimds of interaction in the protocol.® 

• Assumptions: The complexity assumption underlying the protocol, it under- 
lies either the computationed ZK or the computationad conviction (or both). 
For example it may be an adgebraic assumption like the hardness of factoring 
or discrete log computation, or a generad assumption like the existence of 
claw-free paurs, trapdoor permutations, one-way permutations, or one-way 
functions. 

® There may be some danger of confusion in terminology. We call each sending of a 
message by a party a round. Some works like [FeSh] call this a move, and say a round 
is two consecutive moves. In their terminology, our four round protocols would be 
four move or two round protocols. 




283 



Rounds 


Assumption 


Reference 


Type 


poly(n) 


One-way function 


Combine [GMW, HILL, Na] 


CZK proof 


w(logn) 


Algebraic 


[BrCr, BCC] 


SZK argument 


poly(n) 


One-way permutation 


[NOW] 


SZK argument 


6 


Claw-free pairs 


[BCY] 


SZK argument 


6 


Claw-free pairs 


[GoKa] 


CZK proof 


5 


One-way function 


[FeSh] 


CZK argument 


n 


Algebraic 


[PeSh] 


CZK argmnent 


4 


Trapdoor perm. + Algebraic 


Combine [Bl, FLS, BeYu] 


CZK argument 


4 


One-way function 


This paper 


CZK argument 



Fig. 1. Negligible error ZK protocols for NP. We list round complexity, complexity 
assumption used, and type (CZK or SZK, proof or argument). Remember four rounds 
is optimal. 



Lower bounds. We know that things can’t go too low. Four rounds and a 
one-way function are each individually necessary to get low-error ZK: 

• Four rounds needed; Goldreich and Krawczyk [GoKr] show that there do not 
exist three round, negligible error (whether proof or argument) ZK (whether 
computational or statistical) protocols for NP unless NP C BPP. (There is 
a technical condition saying the ZK must be of a certain form called black- 
box. But all known ZK protocols Eire of this type. In this paper whenever we 
talk of ZK we always mean blEick box. See Definition 6.) Accordingly, four is 
the minimal number of rounds required to achieve ZK with low error. (The 
result also holds if the protocol is not sound but just a proof of knowledge, 
so that four rounds is also necessary for negligible knowledge error [ISl].) 

• One-way function needed; ZK arguments can be used to implement many 
kinds of cryptographic schemes, whence by [ImLu] require a one-way func- 
tion to implement. Even for the proof case with a computationally un- 
bounded prover, it is known that for “hard” languages some kind of “one- 
way function” is necessary [OsWi]. Thus, a one-way function is a minimal 
assumption required to achieve ZK. 

The problem. There are many so-called “atomic” ZK protocols for NP that 
Eichieve constant error-probability in constant (three or four) rounds. Serial rep- 
etition lowers the error and preserves ZK [GoOr, To Wo], but at the cost of 
increasing the number of rounds to non-constant. So we would like to do parallel 
repetition. However, this is ruled out; first, we have the above mentioned results 
of [GoKrj; second, the latter also showed that in general parallel repetition does 











































284 



not preserve ZK. So one must build low error ZK protocols directly. 

Previous work. A good deal of effort has gone into this, and a variety of 
ingenious constructions have been proposed. We summarize the known results 
in Figure 1. (One that may need elaboration is the protocol of [Bl, FLS, Be Yu]. 
We discuss it briefly in Appendix A.) 

Notice that prior to our work optimality had not been achieved in any proto- 
col category. That is, neither for CZK arguments, SZK arguments or CZK proofs 
did we have four round, low error protocols based on any one-way function. In 
this paper we have filled the first of these gaps. 

We also clarify that we are only tabulating ZK protocols for all of NP (ie. for 
NP-complete languages). There is also a lot of work on constant round ZK 
(especially statistical ZK) for special languages which we don’t get into. 

1.3 Our reaiUt 

Result. We look at low error CZK arguments for all of NP. Figure 1 tells us 
that it is possible to do it in four rounds using an algebraic assumption (hardness 
of discrete log) [FeShj; or in five rounds using a one-way function [FeShj. This 
leaves a (small but noticeable) gap, which we fill: we provide an optimal protocol, 
that uses only four rounds and a one-way function. 

Theorem 1, Suppose there exists a one-way function. Then for any language 
in NP, there exists a protocol which has four rounds of interaction; is compu- 
tationally convincing (ie. an argument) with negligible error probability; is com- 
putational zero-knowledge; and is a computational proof of knowledge (for the 
underlying NP-relation) with negligible knowledge-error. 

Techniques. Our protocol is for the NP-complete language SAT. Let (p be the 
input formula. We use the idea of Feige and Shamir [FeSh] of ORing to (p some 
formula ^ which represents some choices of the verifier, and then having the 
prover run a standard ZK proof on input 0 = ipM^. However, Feige and Shamir 
[FeSh] begin their protocol by having the verifier give a witness indistinguishable 
proof of knowledge of something underl 3 dng #. Instead, we work directly with 
the one-way function, having the verifier give a cut-and-choose type proof that ^ 
meets some conditions. This is interleaved with a standard ZK proof run on 0. 
To implement the latter with a one-way function we use Naor’s bit commitment 
scheme [Na] which can be based on a one-way function via [HILL]. 

The tricky part is getting the protocol to be ZK. When the protocol is finally 
designed, however, the ZK is not hard to see. It turns out the technicaJly more 
chcJlenging part is to prove computationed soundness. We introduce what seems 
to be a new technique, proving the soundness by using proofe of knowledge, 
rel 3 dng on the strong formulation of the latter given in [BeGo]. 

1.4 Open problems 

We have filled the (small) existing gap between upper and lower bounds for 
CZK arguments. For other protocol categories, the existing gap is larger and still 




285 



unfilled. For CZK proofs, it is not known whether constant error can be achieved 
with a one-way function (let alone with what value of the constant). For SZK 
arguments, it is not known whether it can be done at all (ie. in polynomially 
many rounds) with a one-way function. 

2 Definitions 

We provide definitions for zero-knowledge arguments and computational proofs 
of knowledge. 

2.1 Preliminaries 

NP-relations. Let p{-, •) be a binary relation. We say that p is an NP-relation 
if it is polynomial time computable and, moreover, there exists a polynomial p 
such that p(x,w) = 1 implies |w| < p(|x|). For any x 6 {0,1}* we let p(x) = 
{ w £ {0, 1}* : p(x,w) = 1 } denote the witness set of x. We let Lp = { x € 
(0, 1}* : p(x) ^ 0 } denote the language defined by p. Note that a language L 
is in NP iff there exists an NP-relation p such that L = L^. We say that p is 
NP-complete if Lp is NP-complete. 

The example we will concentrate on is satisfiability. Let (p be a boolean 
formula (circuit) and T an assignment of 0/1 values to its variables. We let 
Satisfy {(p,T) = 1 if T satisfies <p (makes it true) and 0 otherwise. This is an 
NP-relation, and the corresponding language Lsatitfy is of course just SAT = 
{ip : V? is a satisfiable boolean formula }. 

Negligibility. Recall that a function 6-. N ->^ R is negligible if for every poly- 
nomial p( ) there exists an integer Up such that (5(n) < l/p{n) for every n > rip. 

Interactive algorithms. Parties in our protocols (provers and verifiers) are 
modeled £is interactive functions. An interactive function A takes input x (the 
common input), the conversation Mi ... Mj so far, and coins R to output A{x, M\ 
... Mi, R), which is either the next message, or some indicator to stop, perhaps 
accepting or rejecting in the process. Probabilities pertaining to this function 
eire over the choice of R. We let Ax{-,-) = A(x, •, •) and Ax,r{-) = A{x,-,R). 
T 3 T>ically we will have fixed x and will be talking about Ax ’, sometimes we will 
?dso have fixed R and are t 2 dking about the deterministic function Ax,r. A may 
also take an auxiliary input w (when A is the prover, this is a witness w 6 p(x)) 
and we write A" for this algorithm. Thus we can have A“ or A^ jf. 

The transcript of a conversation between a pmr of interactive functions is the 
entire sequence of messages exchanged between them until one of them halts. 
We let Acc(Ax,Bx) denote the probability (over the coins of both parties) that 
B accepts when talking to A on common input x. We let Acc(A*, Bx,Mi . . . Mi) 
denote the conditional probability that B accepts in talking to A on common 
input X when the conversation so far is Mi ...Mi. 

We refer to the sending of a message by one party as a round of interaction. 
So the number of rounds is the total number of messages sent. 




286 



2.2 Arguments, or computationally convincing proofs 

The protocol must satisfy a standard completeness condition saying that a prover 
knowing a witness for x £ Lp can convince the verifier to accept x. Soundness 
pertains to what happens when x ^ Lp. We wcint to say that it is unlikely that 
one can make the verifier accept, even if one is allowed to modify the strategy 
of the prover. The error-probability measures how unlikely. For the purpose of 
this paper we axe interested in 2 irguments of negligible error, but the definition 
that follows is for any error. 

Definition 2. Let P,V be polynomial time interactive algorithms and let p be 
an NP-relation. We say that (P, V) is a computationally convincing proof (or 
argument) for p, with error-probability €(•), if the following two conditions are 
met: 

(1) Efficient completeness; For every x £ Lp and every witness w £ p(x) 
it is the case that Acc{P", F*) = 1. 

(2) Computational soundness: For every polynomial time interactive algo- 
rithm P there is a constant N-p such Acc(Px,Vx) < c(|a:|) for all i ^ Lp 
which have length at least Np. 

If e is negligible then we say that the error-probability is negligible. 

We highlight the case of negligible error; the system has negligible error as long 
as there is some negligible function e(-) such that the error is e(-). 

Notice one difference with defining interactive proofs: we ask that the point 
at which the error goes down to e(-) depend on the prover P. This is necessary, 
as the discussion below explains. 

Issues in computational soundness. In the interactive proof setting [GMR], 
the error-probability of a protocol (P, F) is e( ) if for any x ^ L and any inter- 
active algorithm P playing the role of the prover, Acc(Px,Fe) < e(lx|). The 
question of what is the error-probability of a computationally sound proof (ar- 
gument) is more subtle. The first thought is that we say the same thing, ex- 
cept restricting our attention to pol 3 rnomial time prover algorithms. Namely, 
the error-probability is c(-) if Acc(P,,Fj) < edxj) for any polynomial time in- 
teractive algorithm P aind any x ^ L. But this is not right. Underlying the 
argument is some computationally hard problem like inverting a one-way func- 
tion. The size of this problem is proportional to |i(. So for any fixed x there is 
some polynomieil time prover who can convince the verifier with high probability, 
by solving the underlying computational problem. In other words, we cannot, 
for a fixed x ^ L, hope that the probability of convincing the verifier is at most 
e(lx|) for all polynomial time provers. (Unless the argument is in fact a proof.) 
However, for any fixed polynomial time prover, as |x| grows, the probability of 
convincing the verifier decreases, because the size of the underlying hard com- 
putatmnal problem is increasing. In particular it is reasonable to ask that for 
each P the error eventually goes below the desired error-probability e(n), which 
is what we did above. 




287 



In particular, the probability of convincing the verifier to accept x ^ L in 
a computationally convincing proof cannot be reasonably expected to be ex- 
ponentially small. It is restricted by the probability of solving the underlying 
computational problem. Since the t 3 rpical assumption is that the latter is neg- 
ligible (not but less), the error of the argument too is negligible but not less. 
In particular, independent repetition will not lower the error to exponentially 
small. 

Another way to resolve the issue is to have a security parameter k that is 
separate from the input x and measures the size of the underlying hard problem. 
For any fixed x, the error-probability still goes down as we increase k. This 
formulation is probably better for protocol design, but in the current theoretical 
setting, we stick, for simplicity, to just one input, and adopt the definition above. 



2.3 Computational proofs of knowledge 

We want to say that if ein interactive algorithm can convince V to accept x € 
L then it must actually “know” a witness w G p{x). This notion of a “proof 
of knowledge” was suggested in [GMR]. It was formalized in [BeGo] both for 
the standeird interactive proof setting and the argument, or computationally 
convincing setting. (They discuss the latter in [BeGo, Section 4.7].) We adopt 
their notion. It comes in two equiv^llent forms. We present both. 

Recall an oracle algorithm is an algorithm that can be equipped with 
an oracle. An invocation of the oreicle counts as one step. We will talk of an 
“extractor” E which will be given an oracle for P* , a prover algorithm on input 
X, and will then try to find a witness u; to the membership of x in Lp. The first 
definition below is what [BeGo] refer to as the “alternative form of validity.” 



Definitions. [BeGo] We say that verifier V defines a computational proof of 
knowledge for NP-relation p, with knowledge-error /c( ), if there is a an expected 
polynomial time orcicle algorithm E (the extractor) such that for every pol 3 no- 
mial time interactive algorithm P there is a constant Np such that if x € Tp 
h 2 is length at least Np then 



Pr[p^*(x)ep(x) 



> Acc(P,,F*) -/c(lx|) . 



If k(-) is negligible then we say the proof hcis negligible knowledge-error. 



In other words, if E has oracle access to P then it can output a witness for 
membership of x in Lp with a probability only slightly less than the probability 
that P would convince V to accept x. Again, note negligible knowledge error 
means the above is true for some negligible function k{ ). 

In the next formulation (the main one of [BeGo]) the extractor must find a 
witness with probability one. It is not limited to (expected) pol 3 momial time, but 
must run in time inversely proportional to the excess of the accepting probability 
over the knowledge error. 




288 



Definition 4. [BeGo] We say that verifier V defines a computational proof of 
knowledge for NP-relation p, with knowledge-error «(•), if there is a zm oracle 
algorithm E (the extractor) and a constant c such that for every polynomial 
time interactive ailgorithm P there is a constant Np such that if 2 G has 

length at least Np and satisfies Acc(P*,Fj;) > k(i), then E^‘{x) £ p(x), and 
moreover this computation halts in an expected number of steps bounded by 



Acc(Px,Vx) - k(x) 

If k( ) is negligible then we say the proof has negligible knowledge-error. 

See [BeGo] for the proof that these two notions are equivalent. Sometimes it is 
convenient to use one, sometimes the other. 



2.4 Zero-knowledge 



Ensembles and computational indistinguishability. We recall these no- 
tions of [GoMi, GMR]. An ensemble indexed by L C {0,1}* is a collection 
of probability spaces (of finite support), one for each x £ L. Let 
Si = {£i(x)}xgi and S 2 = {E 2 (x)}xeL be ensembles over a common index set 
L. A distinguisher is a polynomial sized family of circuits D = {Dx}xeL, with 
one circuit for each x £ L. We say that Si,S 2 are (computationally) indistin- 
guishable if there is a negligible function d( ) such that for every distinguisher D 
there is a constant No such that if x £ L has length at least Nd then 



Pr [Dx(v) = 1 : t) a Eiix) ] - Pr [Dx(u) = 1 : u A Eh{x) 



< H\x\) . 



Zero-knowledge. Let P, V be interactive algorithms. The definition of a zero- 
knowledge interactive proof [GMR] refers to a language L. It begins by defining 
a probability space, the view of a cheating verifier V in talking to P on input 
X £ L. (And then says there is a simulator that on input i produces an “indis- 
tinguishable” view.) The basic idea is the same in the argument setting, but one 
must be careful about a couple of things. Recall prover P begins with a witness 
w to X. The view generated by P and V depends not just on P but on in. An 
elegant way to bring this into the picture is via the notion of a witness selector 
[Be Yu]. 

Definitions. [Be Yu] A witness selector for an NP-relation pis a map W: -> 

(0, 1}* with the property that W{x) £ p{x) for each x £ Lp. 

That is, a witness selector is just a way of fixing an association of a particular 
witness to each input. When p = Satisfy eind Lp = SAT this just means associ- 
ating to any formula x = ip £ SAT a particular satisfying assignment to it, out 
of all the possible satisfying assignments. 




289 



Now we can define the view. Let P, V be interactive algorithms, p an NP- 
relation, and W a witness selector for p. We let ViEW(F, W, V, x) be the proba- 
bility space whose points are of the form {R, t), where fl is a random tape for Vx 
and r is a transcript of an interaction between zind Vx,n- The associated 

probability isjthat over the choice of R and the coins of The collection 

{ViEw(P, becomes an ensemble. 

We define zero-knowledge in a strong “black-box” simulation form. The sim- 
ulator S is an oracle algorithm given input x and oracle access to Vx,r where R 
has been chosen at random. (The simulator does not have to pick R. It is done 
automatically and the simulator only sees the interf 2 ice to the oracle Vx,r-) It 

y*w 

will output a transcript r of a conversation between P* and Vx,r. We let S ’ (i) 
denote the probability space of pairs {R, r) where R was chosen at random and 

r ■<— 

Definition 6. We say that (P, V) is a (computational) zero-knowledge protocol 
for NP-relation p if there exists an expected polynomial time oracle algorism S 
(the simulator) such that for every polynomial time interactive algorithm V (the 

cheating verifier) and every witness selector W for p, the ensembles (i)}i6i, 
and {ViEw(P, W, are computationally indistinguishable. 

Note formally, zero-knowledge is no longer a property of the language Lp but of 
the relation p itself. 

Under this definition of zero-knowledge, we know that any negligible error 
probability zero-knowledge argument for an NP-complete relation p must have 
at least four rounds, assuming NP is not in BPP [GoKr]. We want to meet this 
bound given only a one-way function. 

Remark. The above notion of bl^w;k-box simulation zero-knowledge is stronger 
than those of [GoOr, GoKr, BM02] in the following sense. In our notion, the 
simulator has no control over the coins R of V* '• they are automatically chosen 
(at random) zmd then fixed. The simulator does not even have direct access 
to them: it just gets an oracle for Ux.fi- In the notions of [GoOr, GoKr], the 
simulator could choose these coins as it liked, even try running Vx on many 
different random tapes. In the notion of [BM02] it could not choose them, but 
did have direct access to them, and could try several random tapes. However, 
since our results are positive, making a more stringent definition only strengthens 
them. Also, all known zero-knowledge protocols do meet our definition. 

For simplicity we do not talk of non-uniform verifiers, but of course the above 
definition could be extended to include them. 

3 Building blocks for our protocol 

Our protocol uses one-way functions, satisfiability, and a standard bit commit- 
ment based atomic ZK protocol for satisfiability. 




290 



3.1 One-way functions 

Let /; {0,1}* {0,1}* be some length-preserving function. An inverter for 

f is a fzunily I = {In}n>i where each I„ is a circuit, tsdcing n bit inputs and 
yielding n bit outputs, and having size at most p(n) for some polynomial p(-)- 
We let 



lnv/(n) = Pr f(x') =y : x A {0, 1}” ; y +- f(x ) ; x' 7„(y) 

denote the probability that 7„ successfully inverts / at the point y = f{x), taken 
over a random choice of x e {0, 1}". 



Definition 7. Let/; {0,1}* {0, 1}* be a polynomial time computable, length- 

preserving function. We say / is one-way if there is a negligible function 5( ) such 
that for every inverter 7 there is an integer Nj such that Inv^(n) < 5(n) for all 
n > Nj. 

Hereafter we fix a one-way function /, and the notation / will always refer to 
this fixed function. 



3.2 Formulas and satisfiability 

We will present ZK arguments for the NP-complete language SAT. More pre- 
cisely let Satisfy be the NP-relation defined by Satisfy {(p,T) = 1 if assign- 
ment T satisfies formula (p. The corresponding lauiguage Lsatufy is of course 
SAT = {<p : V? is a satisfiable boolemi formula }. We will present ZK eirgu- 
ments for the NP-relation Satisfy meeting the definitions in Section 2. (In terms 
of those definitions, the NP-relation here is p = Satisfy, the common input is 
x = If, a boolean formula, 2 uid the witness tw is a satisfying assignment T to (p.) 

We will be encoding statements about the one-way function / as formu- 
las, and need some standcird features of the Cook-Levin theorem. The NP- 
completeness of SAT as proved in this theorem implies the following. There is 
a pol 3 momiEil time computable transformation FORMULA/ {•) such that for any 
y € {0, 1}* it is the case that FORMULA/ (j/) is a boolean formula which is satis- 
fiable iff there exists an x e {0, 1}* such that /(x) = y. More important, there 
are polsmomial time computable maps t/,i,f /,2 (called witness transformations) 
with the following properties. Given x, map t/,i outputs a satisfying assignment 
T = f/,i(x) to FORMULA/ (/(x)). Conversely, given a satisfying assignment T to 
F0RMULA/(j/), map t /,2 outputs a point x = t/, 2 (T) such that /(x) = y. We will 
refer to both the transformation FORMULA/ and to the accompanying witness 
transformations in what follows. What is important to remember is that knowl- 
edge of a satisfying assignment T to FORMULA/ (y) is tantamount to knowledge 
of a pre-image x of y under /. 




291 



3.3 Naor’s commitment scheme 

We will use Naor’s commitment scheme [Na] which can be based on any one-way 
function via [HILL]. Some special properties of the scheme are important for us. 

It work like this. Suppose A has some data d G {0, 1}"* that she wants to 
commit to B. First, B must send A a random string R, which we call the com- 
mitment setup string, and which has length polynomial in the security parameter 
n and the data length m. Then, A picks at random some string s to use as coins, 
and computes a function a = COMMlT/(ii,d, s). (This function depends on a 
pseudorandom bit generator [BlMi, Ya], constructed out of f via [HILL], but we 
don’t need to know that.) This a is 2 l’s commitment to d and is sent to B. At 
a later stage, B cem ask A to “open” the commitment, at which point A sends 
d and s, and B checks that a = Commit/ (H, d, s). 

The protocol must have two properties. First is privacy: a gives B no infor- 
mation about d. Second is soundness: A can’t create commitments which she 
can open in more them one way. 

In Naor’s scheme [Na], the privacy is true in a computational sense. That is, 
as long as B cannot invert the underlying one-way function /, it gets no partial 
information about d. Soundness however is true in a strong, unconditional sense, 
amd since this is important for us, we need to discuss it further. 

A de-committal of a is a pedr (d, s) such that a = COMMIT/ (H,d,s). We say 
that A opens a as d if she provides a de-committal (d, s) of a. We say that a 
commitment setup string R is bad if there exists a pair (di, si), (d 2 ,S 2 ) of de- 
committals of a such that di ch- We say R is good if it is not bad. Naor’s 
scheme has the property that a randomly chosen commitment setup string is bad 
with probability exponentially small in n [Na, Claim 3.1]. For our purposes we 
set the parameters of the scheme so that this probability is 2~^". (The length 
of R required to make this true depends not only on n but also on the data 
length m. In what follows, we assume R is of the right length to make this true 
with respect to whatever data length we have.) It follows that the probability 
that even one out of n random commitment setup strings Ri,...,Rn is bad is 
at most n • 2~^" < 2“". This will be used repeatedly in what follows. 

3.4 The atomic protocol 

We use as a primitive a atomic four round ZK argument achieving error 1/2. 
We now specify the properties we want of it eind the notation used to describe 
it. To avoid depending on the details of any specific protocol, it is described via 
generic components and steps. 

The protocol. In the literature there are several commitment-based three 
round ZK arguments with error 1/2. For concreteness, take the one of Brassard, 
Crepeau and Chaum [BCC], or the one based on general commitment in [ImYu]. 
To set it up using one-way function based commitment, we first have the verifier 
send a commitment setup string, and then run a protocol such as the ones in 
[BCC, ImYu], so that we have four rounds. 




292 



To avoid depending on the details of any specific underlying protocol, we 
describe the protocol via generic components cind steps. Let 0 denote the boolean 
formula which is the common input. The prover is assumed to have a satisfying 
assignment T for 0. We now specify the instructions for the parties, with the 
nomenclature to be explained later: 

(1) Verifier picks at random a commitment setup string R cuid sends it to the 
prover. 

(2) Prover picks a random string p and computes an encapsulated circuit C = 
EncCirC/(©, T,ii, p). This is sent to the verifier. 

(3) Verifier picks a random chedlenge bit c and sends it to the prover. 

(4) Prover computes an answer D = AnswEK}{0,T,R,p,c) and sends it to 
the verifier. 

(5) Verifier checks that CHECK/(©,i?,C,c, J9) = 1. If this is true it accepts, 
else rejects. 

Now let us explain the components. In the second step, the prover computes an 
object C we call an “encapsulated circuit.” This step will involve a number of 
bit commitments which is proportional to the size of 0, and they are performed, 
here, using the scheme of Section 3.3, which can be implemented given /. The 
commitment setup string used (for all the commitments) is R, and p represents 
some random choices that underly the encapsulation. (Roughly, the prover will 
first create a randomized version of 0 that is annotated with the values given 
by the truth assignment T. This annotated circuit, call it d, would reveal T, 
but the prover does not send it directly. Instead, he commits to it, sending 
COMMIT/ (R,d,s) where s is part of p. But the details, such as what is d, will 
not matter: later we will summarize all the properties we need.) As in a typical 
cut-and-choose protocol, the verifier then poses a random challenge question, 
which is the bit c, and prover must “open” the encapsulated circuit in one of two 
ways. This “ 2 Uiswer” of the prover, denoted D, is computed as a function of the 
truth assignment, the challenge, and the random choices underlying the original 
encapsulation. It consists of de-comraitting certain parts of C. The answer being 
sent to the verifier, the latter checks that it is correct. The check is a function 
of the encapsulated circuit, the commitment setup string, the challenge, atnd the 
answer provided. 

Properties. We assume certain properties of this protocol. The standard ex- 
ample protocols (eg. [BCC]) do have these properties. 

We assume that if an encapsulated circuit C is successfully “opened” in both 
ways, ie. for both a 0-challenge and a 1-challenge, then one can obtain the truth 
assignment underlying 0. This is true no matter how C was constructed, and 
is the technical fact underlying the protocol being a (computational) proof of 
knowledge with knowledge error 1 /2. 

More precisely, there is a polynomial time algorithm Extract/ such that the 
following is true. Suppose i? is a good commitment setup string. Let C be some 
string sent by the prover in the first step. (It purports to be a correctly computed 
encapsulated circuit.) Let Dq, Di be strings such that Check/(0, R, C, 0, Dq) = 




293 



CHECK/(6>,ii,C', l,Di) = 1. Then Extract: f{0,R,C, Do, Di) =T' is a truth 
assignment that satisfies &. 

We stress that this requires the commitment setup string R to be good as 
defined in Section 3.3. We are using the fact that when this happens, it is im- 
possible (not just computationally infeasible) for the commiter (here the prover) 
to open a commitment in two different ways. 

We will need (to show our protocol is ZK) that one can compute EncCirc / {&, 
T, R, p) for any T, not just a T that satisfies p. The underlying annotated circuit 
d will be non-sensical in this case, but the verifier will not know, because the 
annotated circuit is provided in committed form. (Of course, a prover providing 
such an encapsulated circuit will be hard put to answer the challenges, but that 
will not matter for us.) 

Finally, of course, we also need that the protocol is ZK. (Actually, all we will 
use is that it is witness indistinguishable in the sense of [FeSh], something which 
follows from its being ZK.) 

4 Protocol 4R-ZK and its properties 

We now describe our protocol and its properties. We call the protocol 4R-ZK 
for “four round ZK.” 

4.1 Protocol description 

We give instructions for the prover P and the verifier V to execute protocol 
4R-ZK. The common input is a formula of size n, and the prover is assumed 
in possession of a satisfying assignment T to ip. Refer to Section 3 for the notation 
and components referred to below. 

(1) The verifier’s message Mi = consists of two parts computed as 

we now describe. 

(1.1) For i = 1, . . . , n and y = 0, 1 the verifier chooses j A {0, 1}" and 
sets = fixij). These points are hereafter called the “F-values.” 
It lets Mi_i consist of these 2n strings. 

(1.2) The verifier picks at random commitment setup strings R\, . . . ,Rn- 
It is thereby initiating n pcirallel runs of the atomic protocol: R{ will 
play the role of the commitment setup string for the i-th run. (But 
the input formula 0 for these runs has however not yet been defined! 
That will appejir later.) It sets Mi^2 = {Ri, ■ ■ - tRu)- 

The verifier sends Mi = Mi^iMi,2 to the prover. Now for i = 1, . . . ,n and 
j = 0, 1 we let = FORMULA/(yij) as per Section 3.2. This is a formula 
both p2urties can now compute. 

(2) The prover receives Mi. Its reply M2 = M2, 1 M2, 2 consists of two parts 
computed as we now describe. 

(2.1) The prover picks bits 61, . . . , 6„ A {0, 1} and sets M2,i = (f>i, - ■ -,&«)■ 
The bit 6j is viewed as selecting the F-value 2/1,4^ , and the verifier is 




294 



being asked to reveal the pre-image of this value, which he will do 
in the next step. 

(2.2) We now set # = ^1,1-6, V ... V (This is the OR of all 

formulas corresponding to V-values which the prover has not asked 
be revealed. As long as / is one-way, the prover has very little chance 
of knowing a satisfying assignment to <f.) We then set 0 = ^ V y?. 
Notice that T (the satisfying assignment to ip that the prover has) 
is also a satisfying assignment to 0, so the prover has a satisfying 
assignment to 0 (even though he does not have one for $). Viewing 
Ri,...,Rn as commitment setup strings initiating n parallel runs 
of the atomic protocol on common input 0, the prover will now 
perform the second step for each of these executions of the atomic 
protocol. Namely, for * = l,...,n it picks at random a string pi 
to be used as coins in the encapsulated circuit computation, and 
computes Ci = EncCirc / (0, T, /?< , pi) for t = 1 , . . . , n. He now sets 

Af2,2 = {Cl, . . - ,Cn). 

The prover sends M2 = M2 ,1 M2, 2 to the verifier. 

(3) The verifier receives M2 = M2,iM2,2. Its reply M3 = M^^iM^p consists of 
two parts computed as we now describe: 

(3.1) It sets Ma,i = (ii,;,, ,...,x„,6„), meaning it returns the pre-images 
for the Y -values selected by the bits 61 , . . . , that the prover sent 
in M2 ,i = (61,..., 6„). 

(3.2) Having 61, . . . , 6„, the verifier knows $ and hence 0, these formulas 
being as defined above. It now picks challenges ci, . . . ,c„ A {0, 1}, 
one for each run of the atomic protocol on input 0, and sets M3, 2 = 
(ci , . . . , c,^). 

The verifier sends M3 = M3pM^^2 to the prover. 

(4) The prover receives M3 = M3,iM3,2. 

(4.1) Say M3 ,i = (ii,...,Xn). The prover checks that f{xi) = j/i.b, for 
i = 1, . . . , n, and if this check fails then it aborts the protocol. Else 
it goes on to the next step. 

(4.2) Say M3, 2 = (ci, . . . ,c„). The prover computes the answers to these 
challenges. Namely for t = 1, . . . , n it sets Di = AnsweR/( 0, T,Ri,pi,Ci). 
(Recall Pi W21S the coins used to produce the encapsulated circuit C,, 
so that here the prover is opening this encapsulated circuit according 
to challenge Cj.) 

The prover sends M4 = (Z?i , . . . , L>„) to the verifier. 

(5) The verifier receives M4 and makes its final check. For i = 1 , . . . ,n it checks 
that CHECK/(0,i?i,Cj,Cj,£>i) = 1. (Recall the verifier received the encap- 
sulated circuit Ci in M3, 2 and the opening Di in M4.) If this is true it 
accepts, else it rejects. 

Notice that the protocol is indeed of four rounds. Next we Eiddress its properties. 




295 



4.2 Result 

Our claims about the above protocol are suramzirized in the following theorem. 
Refer to Section 2 for definitions of the various notions. 

Theorem 8. Assume f is a one-way function. Then protocol 4R-ZK is: 

(1) A computationally convincing proof (ie. an argument) with negligible error 
probability, 

(2) A computational proof of knowledge with negligible knowledge error, and 

(3) A (computational) zero-knowledge protocol, 

all for the NP-relation Satisfy corresponding to the NP-complete language SAT. 

We will prove these items in turn. As one might imagine, the difficulty in the 
protocol design was making sure it was ZK. Having done the design to make this 
work out, however, it will be relatively easy to show. The other claims turn out 
to be more non-trivial. In particular the soundness is shown via a novel use of 
proofs of knowledge. We begin with a technical lemma that underlies the first 
two claims above. 

4.3 The d-Extraction Lemma 

The first two claims about the protocol are that it is computationally convincing 
and a computational proof of knowledge. The first says that if is unsatisfiable 
then a polynomial time prover has little chtince of convincing the verifier to 
accept, and the second says that if <p is satisfiable then any prover convincing 
the verifier to eiccept actually “knows” a satisfying assignment to ip. Both these 
claims pertain to the input formula p. Yet our main technical lemma is a claim 
not about (p but about the formula O constructed in the protocol. Remember 
this formula (a random variable depending on other choices in the protocol) is 
the one on which the atomic protocol is cictually run. The crucial property of 
this formula is that (as long as the verifier is honest, namely is V) it is always 
satisfiable: whether or not <p is satisfiable, 0 is, because 0 is always satisfiable. 

We claim that if a prover A convinces V to accept p then we can extract a 
satisfying assignment for G, reg^lrdless of whether or not p is satisfiable. Further- 
more, this extraction can be done to meet the kinds of conditions asked in the 
definition of [BeGo]. This will help prove both the above mentioned claims, and, 
as motivation, it may help to say why. Roughly, £ui assignment to corresponds 
to knowledge of inverses of / on random points. But remember 6 = y; V <P. So if 
p is unsatisfiable, then an assignment to G must be em assignment to 0, and this 
will enable us to say in Lemma 10 that significaint success in making the verifier 
accept when p is unsatisfiable translates to inverting the one-way function /. 
On the other heind, if p is satisfiable then an assignment to G will with high 
probability be one to p since otherwise someone is inverting /. Now let us state 
and prove the lemma. 




296 



LemmaO. There is on expected polynomial time oracle algorithm E (the ex- 
tractor) such that for any prover A and formula (p the following is true. Let 
R be a random tape for and M1M2M34 a partial transcript of an interac- 
tion between A^^r and V^. (The transcript includes the first two messages of 
the protocol and the first part ofV’s third message). Assume the commitment 
setup strings in Mi are good. Letn = \<p\. Letp= Acc{A^^r,V^, MiM^Mz^i) be 
the probability that V accepts given the current partial transcript. Then on input 
(fifMiMzMa^i and with oracle access to A^^r, algorithm E outputs a satisfying 
assignment to the formula G defined by the above partial transcript as in the 
description of our protocol, and this with probability at least p — 2"". 

Proof Let R = (iJi, .. .,Rn) be the sequence of commitment setup strings in 
Ml . We know that M2 = (b, C) where C = {C\ ,... ,Cn) and Ci is (supposed to 
be) an encapsulated circuit as per an execution of the atomic protocol on input 
0 . Say c = (ci, . . . , c„) is a challenge vector playing the role of message M3, 2 in 
the protocol, and D = (Di , . . . , D„) = M4 is some response. It is useful to let 

Check^(0,R,C,c,D) = /\1^^CiiECKf{G,Ri,Ci,Ci,Di) 

be the final evaluation predicate of our verifier. We first describe a different 
oracle algorithm Ei. It takes the same inputs as E should. It always returns a 
satisfying assignment to 0, and this within an expected number of steps bounded 
by poly(n)/(p-2~"). (We can assumep > 2“" since otherwise there is nothing to 
show.) Algorithm Ei will sample responses of A^^r for different random challenge 
vectors c, keeping other information fixed, until it finds a pair of challenge vectors 
that are accepted by V but are different in at least one component. Namely, 
repeat the following steps; 

(1) Pick ct = (ct,i , . . . , ct,n) ^ {0, 1}” and let Mfs = Ms.i . c« 

(2) Let Dt = [Dtp ,. . . , Dt,n) 

until 3 1, m G [t] such that ci ^ but 

CheckJ(0,R,C,cj,Dj) = CHECK"(0,R,C,c„,Dm) = 1. 

Now let l,m satisfy the halting condition. Let i G [n] be such that cj,,- 7^ 
Cm,i- By definition of Check^ it must be that CHECK/(6,i?,-,C,-,cj,i,Z?/,,) = 
Check/(0, Ri,Ci,Cmj, — 1, meaning encapsulated circuit Ci of the atomic 
protocol has been successfully opened both for a 0-challenge and 1-challenge. 
But then, we know from the properties of the atomic protocol described in 
Section 3.4, that we can compute a satisfying assignment for 0 via Extract/ (0, 
Ri, Ci,Di^i,Dfn,i)- (We use here the assumption, made in the lemma statement, 
that the commitment setup strings in M\ are good. See Sections 3.3 and 3.4.) 

Now we need to analyze the nmning time of E\. Say c is good if Check” ( 0, 
R, C, c, D) = 1 where D = Ay,,fi(MiM2M3,i . c). The probability that a random 
c is good is p so one is found in expected 1/p tries. Another different one is then 
found in expected l/(p— 2"") tries. So the pair is found within 2/(p— 2“") tries. 
Elach try being poly(n) time, we have the claimed time bovmd on the expected 
running time of Ei . 




297 



Finally, we need to specify the extractor E claimed in the lemma. We apply 
a trick used in [BeGo] to prove the equivalence of Definitions 3 and 4. On input 
MiM 2 Mz^i and with oracle access to algorithm E produces Mz ,2 as V 
would (this consists of just picking n random challenges), sets Mz = Mz,\Mz, 2 , 
and runs A^^r to get the response M4 = (Mi M2 M3). If the resulting tran- 
script is rejecting (as can be determined by running the verifier’s check) then E 
just aborts. If not, it nonetheless aborts with probability exactly 2~’*. If neither 
of these aborts happens, it runs E\ . Since it nms E\ with probability p - 2~", it 
finds the satisfying assignment with this probability, and moreover its expected 
running time is poly(n) 4- (p — 2~") • poly(n)/(p — 2~") which is poly(n). I 

4.4 Protocol 4R-ZK is computationally convincing 

We will justify the first claim of Theorem 8 by proving the following: 

Lemma 10. Assume f is a one-way function. Then protocol is a com- 

putationally sound proof for the NP-relation Satisfy, achieving negligible error- 
probability. 

We first remark and explain that there is indeed something (non-trivial) to be 
proven here. Typicadly, error-reduction is done by (serial or parallel) repetition. 
Firstly, that’s not what we are doing; there is some repetition in the protocol, 
but the protocol itself does not consist of independently repeating some atomic 
protocol. Moreover, even when the input is unsatisfiable, the atomic sub- 
protocols are actually being run on a satisfiable formula (namely 0). So we are 
not counting on the soundness of the atomic protocol to prove the soundness of 
our protocol! 

As mentioned earlier, our approach is to use proofs of knowledge, and in 
particular Lemma 9. Let us now provide the proof. 

Proof of Lemma 10. It is easy to see that the specified polynomial time prover 
strategy P in 4R-ZK ivill meet the efficient completeness condition of Definition 2. 
The issue is to show that computational soundness is 2u;hieved, emd with the 
claimed negligible error. 

Let us assume protocol 4R-ZK does not have negligible error-probability. As 
per Definition 2 this me^ms there is no negligible function e such that 4R-ZK 
meets the computational soundness condition of Definition 2 with error set to e. 
We will show this contradicts the assumption that / is one-way. 

So we wzmt to show that / is not one-way. As per Definition 7, this means 
we are given an arbitrary negligible function <5 and must show that there is an 
inverter / and an infinite set K of integers such that Invy(n) > <J(n) for all 
n Q K. Let us set e(n) = S{n) ■ 64n. This is still a negligible function. So by 
the above ^U3Sumption, 4R-ZK does not achieve error-probability e. Hence there 
exists a polynomial timejprover P and an infinite set F of unsatisfiable boolean 
formulae such that Acc(P^,V(,,) > e(|^|) for all € F. Let K be the set of all 
integers n for which F contains a formula ip of length n. For each n G K we 
fix (arbitrarily) some formula ipn G F. Before describing the inverter I for / we 




298 



need to isolate certain executions of the intera«;tion between and where 
V> = Vn- 

Good executions. Let n £ K and let (p = <p„. Let iZ be a random tape for 
and MiMiMs^i a partial transcript of an interaction between P^^r and V^. 
(The transcript includes the first two messages of the protocol and the first part 
of V’s third message.) We say that R,M\M 2 Mz^\ is good if the commitment 
setup string in JVfi is good (as defined in Section 3.3) and also Acc(P^,fi, V^,M\ 
MzMz^i) > e(n)/2 (the probability here is only over the choice of the verifier’s 
challenge vector c, since all other quantities are fixed). Since Acc(i%, Vi^) > 
e(n) it must be that the probability (over R and the coins of V leading to 
MiMzMz,!) that Acc(P^^r,V^, M iMzMz^i) > e(n)/2 is at least 1/2. On the 
other hand the probability that the commitment setup string in Mi is bad is 
2“" (cf. Section 3.3). So the probability that R,MiMzMz,i is good is at leeist, 
say, e(n)/4. (This is because we can assume wlog that (5(n) = e(n)/(64n) is, say, 
at least whence 2"" < e(n)/2.) In the sequel we will focus on these good 

transcript prefixes. 

Structure of inverter. We now describe an inverter I for /. The inverter 
7 is a polynomial sized collection of circuits { /„ : n > 1 } as described in 
Section 3.1. (Meaning there is a polynomial P 2 ( ) such that the size of 7„ is 
a most P 2 (n) for all n > 1.) We will show that that for all n 6 K we have 
Inv^(n) > S(n) = e(n)/(64n). 7„ has embedded into it the formula <p„ (which by 
assumption is unsatisfiable). The input to !„ is a n-bit string y = f{x) where x 
was chosen at random from {0, 1}". wants to output a pre-image of y under 
/. We describe as a randomized algorithm. (The coins can always be later 
eliminated by using the non-uniformity). Think if as having oracle aiccess 
to P^ where <p = Pn- (Meaning it will feed it messages and run it, sometimes 
“backing it up” and so forth. It implements this by running F as a subroutine 
with the common input fixed to <p. It is important here that P is polynomial 
time). It begins by picking a random string R for P^ and initializing the latter 
with that. 

First move. I„ will mimic the first move of V, with a slight twist. It picks 
a A [n] and j9 A {0, 1}. Then for i = 1, . . . ,n and j = 0, 1 it does the following: 
If (bi) = {(^>0) set yij = y, else pick Xij A {0,1}" and set j/,j = 
f{xij). We let = FORMULA/ (y,j) be the boolean formula resulting from 
applying Cook’s theorem to the “/(•) = •” relation on input yij, as described in 
Section 3.2. Now I„ also picks random strings Ri,. Rn, of appropriate length, 
as setup strings for the bit commitment to be used in the atomic protocol. It 
lets Ml consist of the strings j/,j for i = 1, . . . ,n and j — 0, 1, together with 
Ri,...,Rr,. This, thought of as the first message of V to P^, is then “sent” to 

P^- 

Second move. I„ runs to get its response Mz = P^{Mi ; R) to the ver- 
ifier message Mi. This response has the form Mz = Mz^iMzp where Mz,i = 
(bi,.. bn) and M 2, 2 = (Oi , . . . , C„). Here Cj is (supposed to be) a committal for 
a run of the atomic protocol on input G = (pV^, where # = ^i, 1 - 61 V. . . 




299 



Opening. Recall that is supposed to return to for all i = 1, . . . ,n. 
In would like to do the Sctme. But if 6 q = ^ then this means it must return a 
pre-image of ya,p imder /, and it does not know such a pre-image. (Indeed, the 
goal of I„ is to find one). So in this case I„ aborts. But this can only happen 
with probability 1/2 since 0 was a random bit. In case ba ^ 0, our sets 
A^ 3 ,i = X = , . . . This is the first part of a verifier message Ms to 

be sent to P^. 

Finding a witness for Now comes the important step. In will run an 
“extractor” for the protocol which consists of n parallel runs of the atomic pro- 
tocol on input & and find a satisfying assignment for <?. Specifically, we apply 
Lemma 9. Let £7 be as in that lemma and let Pi( ) be the pol 3 ^lomi^^l which is 
its expected running time. /„ runs E on input giving it oracle 

2 iccess to However, this execution is halted in 2pi(n) steps. (Recall E has 
an expected polynomial running time, but In needs to halt within a fixed poly- 
nomial amount of time.) If E finds, within this time, a satisfying assignment T to 
0 = (p\/^, then In will be able to find what it wants, n^lmely a point x satisfying 
f{x) = y. The crucial observation is that since <p is unsatisfiable, the assignment 
T must satisfy Hence it must satisfy for some i G [n]. Since a was 

chosen at random from [n] it will be the case that i = a with probability at least 
1/n. We know ba ^ 0 (since otherwise we aborted above) meaning ba = 1 — 0. 
So we have an assignment to ^a,0- Now recall that $a,0 = Formula/ (y). Ap- 
pl)ring the witness transformation f /,2 discussed in Section 3.2, we can compute 
a string x such that f{x) = y. /„ does this and outputs x. 

Analysis. The running time of /„ is clearly poly(n). We must analyze its success 
probability. We assume RjMiMsMs^i is good in the sense defined above: we 
saw this happens with probability at least 1/4. This means the commitment 
setup strings in Mi are good and p = Acc{P^^jt,V^,MiM2M3^i) > €{n)/2. Now 
Lemma 9 says that E would find a satisfying assignment to 0 with probability 
at least p — 2“" > e(n)/2 - 2~” > e(n)/4. (Recall we assumed wlog that S{n) = 
e(n)/(64n) is at least whence the last inequality.) Since we halt E within 

twice its expected running time, Markov’s inequality says we find the assignment 
with at least half the originEd probability. So /„ finds x with probability at least 
e(n)/8. Putting this together with the other probability losses, all together, I„ 
succeeds with probability at least e(n)/(64n) = 6{n), as desired. I 

4.5 Protocol 4R-ZK is a computational proof of knowledge 

The second cleum of Theorem 8 is justified by the following lemma. 

Lemma 11. Assume f is a one-way function. Then protocol 4R-ZK is a compu- 
tational proof of knowledge (with negligible knowledge error) for the NP-relation 
Satisfy. 

Before proving it let us discuss the issues. Given a satisfiable formula (p and 
oracle swicess to a polynomial time prover P, the goal is to extract a satisfy- 
ing assignment to <p, with a success probability only marginally less than the 




300 



probability that convinces to eiccept. We can easily run the extractor of 
Lemma 9 to find a satisfying assignment T, but for 0, not (p. But & = Our 
worry is that T satisfies not tp. However, intuitively not, because a satisfying 
assignment to # corresponds to the ability to invert /, eind thus should appear 
only with negligible probability. To capture this intuition we must show that 
were T to satisfy # too often then there would be a way to invert /. We can do 
this similarly to the proof of Lemma 10. 

Proof of Lemma 11. We will exhibit an extractor E\ such that the conditions of 
Definition 3 are met for some negligible function k(-). (Recall Definition 3 and 
Definition 4 are equivalent.) E\ has input satisfiable formula <p, and has oracle 
access to P^^r where R is some (randomly chosen and then fixed) random tape 
for prover P. Ei first picks a random a tape R' for V. It now plays the role 
of V, invoking P for the role of the prover, and generates a partial transcript 
M\M 2 Mz,\ of the interaction between P^ and V^^r>. If the commitment setup 
strings in M\ are not good then Ei aborts. Else it runs the knowledge extractor 
E of Lemma 9 on input ip, giving it oreicle access to P,p,R- Whatever 

the latter outputs (hopefully an assignment T to 0) is what Ei outputs. 

Since E runs in expected polynomial time, it is easy to see that E\ does 
too. Similarly, given Lemma 9, it is easy to see that with probability at least 
p_ 2~”+i, algorithm Ei outputs a satisfying assignment T to 6> (not (pV), where 
p = Acc(P<p, V^). (We loose the additional 2~" over the success probability of 
E because the commitment setup strings are bad with probability at most 2“” 
(cf. Section 3.3) and Ei aborts in this case.) 

But our goal is to find a satisfying assignment to tp. Remember 0 = tp. 
Our worry is that T satisfies # rather than (p. Intuitively, however, not, because 
we know that the ability to find an assignment to d? corresponds to the ability to 
invert /. Thus it might happen, but only negligibly often. We must now capture 
this. 

We must show there exists a negligible function k( ) such that T is a satisfying 
assignment to tp with probability p — «;(n), for all p of size at least N^, where 
Np is rin integer depending on P. Assvune towards a contradiction that there is 

no such K. So given any negligible function k there is a polynomial time prover P 
and an infinite set F of formulas such that when p F, the assignment T output 
by E\ satisfies ^ (rather than p) with probability at least (p— 2~") — (p— «(n)) = 
K{n) — 2"". We must show that this implies / is not one-way. 

We will not give the construction and proof for this last statement in full 
because the idea is essentially the same as in the proof of Lemma 10. We use the 
composite of E^ as an algorithm to construct an inverter for /. Like in the proof 
of Lemma 10, we are given a value y cuid WEuit to find a pre-image of y under 
/. We put y into the first message of the verifier in the same way as before. 
Eventually when Ei gives us an assignment T to it has some probability 
of satisfying Formula/(j/) and then we get a pre-image of y under /, just as 
before. The details Ccin be filled in by looking at the proof of Lemma 10. I 




301 



4.6 Protocol 4R-ZK is zero-knowledge 

The third claim of Theorem 8 is justified by the following lemma. 

Lemma 12. Assume f is a one-way function. Then protocol 4R-ZK is a (com- 
putational) zero-knowledge protocol. 

Proof. We must specify a simulator S for which Definition 6 is met. S has input 
ip and oracle access to where V is any (possibly cheating) polynomial time 
verifier algorithm and f? is a randomly chosen random tape for V^. It must 
produce a transcript r such that (R,t) is distributed like random members 
of the view of the reed interaction between and V^. Before describing the 
algorithm let us sketch the intuition. ^ 

S will be trying to produce the prover moves in a conversation with V^,r. Of 
course, not knowing a satisfying assignment for (p, it can’t really play the prover. 
But recall the atomic protocol is run not on input p but on input 0 — py 
The trick is that it suffices to know a satisfying assignment for &. 

Indeed, suppose we know some satisfying assignment for 0. This is not nec- 
essarily a satisfying assignment for p. Still, we can “mimic the prover” by using 
this assignment in the atomic protocol. The verifier will never know it was not 
an assignment to p, because the proof is ZK and hence witness indistinguish- 
able [FeSh]: views of the verifier for different witnesses held by the prover are 
indistinguishable. 

So if the simulator cam find a satisfying aj^ignment to 0 it can complete a 
simulation. How cam it find one? It cam force V^p^R to give it one! It will do this 
by forcing the verifier to reveal a pre-image of for some i € [n]. 

This corresponds effectively to a satisfying assignment to and hence to a 

satisfying assignment to $ amd hence to a satisfying assignment to 0. 

But how does it get What reveaJs is exactly to prevent 

the prover from getting Xjj-j,. , because if the prover had the latter, it could 
cheat. But the simulator has am auivamtage: it cam backup the verifier and run 
it twice for different choices of 6i , . . . , 6„. First it runs it in a normad way on 
some “dummy” chedlenges b\,...,b'„, gets baick the corresponding pre-images, 
amd then cladms that the read chedlenges 6i , . . . , were different, in pairticular 
have ba = 1— b'„ for some a € [n]. For the new chedlenges, it has the pre-image. 

Let us now specify all this in full. Here is the algorithm for S with input p 
amd oracle aiccess to V^,r\ 

(1) S runs V^,j? to get the first message Mi = Mi_iMi^ 2 - Here Mi,i consists of 
strings yij e {0, 1}" for i = 1, . . . ,n and j = 0, 1, and Mi, 2 = (i?i, . . . , Rn) 
consists of n strings to play the role of commitment setup strings. We let 

= FORMULA/ (yij) be the formula corresponding to yij via Cook’s 
theorem, as expladned in Section 3.2. 

(2) S picks at random b[,...,b'„ € {0, 1} amd lets = ^ 1 , 1 -b', V. . . V#n,i_6'„ . It 
then lets 0' = pV^' and picks at ramdom an assignment T' to the variables 
of 0'. (This assignment is extremely unlikely to satisfy 0', but that does 




302 



not matter!) For each i = 1, . . . , n it then picks at remdom some coins p\ and 
computes an encapsulated circuit C{ = EncCirC/( 0',T', Ri,p'^ for &. We 
let M',1 = 6'„) and = C'^). We view Ml, = 

as the second protocol message (from the prover). 

(3) S runs V^^RiMiM!,) to get back its response Mj = ^3,1 

consists of values for t = 1, . . . , n and Mg 2 is a Acillenge vector. S 
checks that /(x,-,6') = yiy for t = If this fails, it outputs the 

current partial conversation and halts. Else it continues. 

(4) S now picks at random another sequence of bits 61,..., € {0,1}. If 

(ti , . . . , bn) = (b\, . . . ,b'„) then it aborts (but this happens only with prob- 
ability 2~”). Else it fixes an index a 6 [n] such that hi ^ b\. It lets 
^ V ... V ^n,i-fc, and 6 = <p\/ Now, notice that 1 ~ ba = b'^ 

and S knows Xa^i,'^ , a pre-image of ya,b'^, from the previous step. Because of 
this, it can compute a satisfying assignment T to the formula ^a,b'^ ■ (This 
is via the properties of Cook’s reduction as explmned in Section 3.2.) But 
then T also satisfies # and hence O, so S has in its possession a satisfying 
assignment to O. Now the idea is to act like the reed prover on input this 
assignment. (Note this assignment does not satisfy <p, but the verifier will 
never be able to tell, because it does satisfy the formula & on which the 
atomic protocol is performed, and the bit commitments are secure.) So for 
each i = 1, . . . ,n the simulator picks at random some coins pi and com- 
putes an encapsulated circuit Cj = ENcClRC/(0,T,ili,pi) for 0 . We let 
Mg = M2,\M2,2 where M2,i = (6i,...,i>n) and M2,2 = (Ci,...,C„). We 
view M2 as a second protocol message (from the prover). 

(5) Backing up the simulator S computes V^^r{MiM2) to get back its 
response M3 = M3^iM3,2. Here Ms,i consists of values for i = 1, . . . ,n 
and M3, 2 is a challenge vector ci, . . . ,c„. S checks that /(x,-,6.) = for 
1 = 1, . . . ,n. If this check fails S cannot abort or output this conversation. 
(One can check this would lead to an incorrect simulation.) Instead, it must 
return to Step 4 and try again, continuing this loop until the check does 
pass. (This is a standard procedure, used for example in [BMOl], and as 
there one can show that the expected number of tries in this process is at 
most 2.) So we go on assuming the check did pass. 

(6) Having a satisfying assignment T to 0 , the simulator (now in guise of the 
prover) is able to answer the challenges ci , . . . , Cn by opening the appropri- 
ate parts of the encapsulated circuits C7i, . . . , C„ just as the prover would. 
Namely S can compute D{ = ANSWERy(6,T, Rj,pi,Ci) for i = 1 , . . . ,n and 
let M4 consist of Di , . . . , D„. 

(7) Finally, S can output r = M1M2M3M4 as a transcript of the interaction 
between the prover and 

Fix some witness selector W: SAT — > {0, 1}* for the relation Satisfy{-, ). That 

is, W((p) is a satisfying assignment to <p for every € SAT. As per Definition 6 




303 



y 

we want to show that the probability ensembles £i = {5 iv>)}<fieSAT and 
£2 = {VlEW(P, iy,y,VJ)}((,gsyiT computationally indistinguishable. (Refer 
to Section 2.4 for the definition of S.) We will do this under the assumption that 
/ is a one-way function. We will provide here only a brief outline of the intuition 
behind this proof. 

The function / shows up in two places in the protocol. First, / is used 
in the construction of K-values underlying the formula Second, / underlies 
the bit commitment scheme of the atomic protocol. The first use of / is not a 
concern for the zero-knowledge, in the sense that the protocol would be ZK (but 
not computationally convincing or a computational proof of knowledge!) even if 
the function used to produce the F-values was not one-way. The ZK depends 
however on the security of the bit commitment scheme, and hence indirectly on 
the one-wayness of /. 

The privacy (cf. Section 3.3) of the bit commitment scheme means that when 
S, in Step (2), forms an encapsulated circuit using a dummy truth assignment T', 
the verifier V has no feasible way to detect it, and its behavior can change “only 
negligibly.” Now, in Step (4) the simulator uses a satisfying assignment for 0 that 
is different from the one the prover would use. But since the atomic protocol is ZK 
it is also witness indistinguishable in the sense of [FeSh]. Furthermore, they show 
that witness indistinguishability is preserved under parallel repetition, so the 
protocol consisting of n parallel repetitions of the atomic protocol is also witness 
indistinguishable. So the transcripts produced for the two different witnesses in 
protocol 4R-ZK have (computationally) indistinguishable distributions. 

The formal proof would be by contradiction. We assume the ensembles are 
not computationally indistinguishable. So for any negligible function 5( ) there 
is a distinguisher D = {D^}^^sAT «uid an infinite set F of satisfiable boolean 
formulae such that 



Pr 



D^{v) = 1 



R -=V,f 

vi-S 



(<P) 



- Pr [ D^{v) = 1 ; i; A ViEW(F, W,V,<p)^ 



is at least <5(|v?|) whenever ip €. F. Using D we would do one of the following. 
Either construct a polynomied sized circuit family that defeated the privacy of 
the bit commitment scheme, which would contradict the security of this scheme 
as proven in [Na, HILL], Or, build a distinguisher that would contradict the 
witness indistinguishability of n parallel repetitions of the atomic protocol. We 
omit these proofs from this abstr 2 ict. I 



Acknowledgments 

We thank the (anonymous) referees of Eurocrypt 97 for comments which im- 
proved the presentation of the paper. 

Mihir Bellare is supported in p 2 irt by NSF CAREER Award CCR-9624439 
and a Packard Foundation Fellowship in Science and Engineering. 




304 



References 

[BeGo] M. Bellare and O. Goldreich. On Defining Proofs of Knowledge. Ad- 
vances in Cryptology - Crypto 92 Proceedings, Lecture Notes in Computer 
Science Vol. 740, E. Brickell ed., Springer- Verlag, 1992. 

[BMOl] M. Bellare, S. Micali and R. Ostrovsky. Perfect Zero-Knowledge in 
Constant Rounds. Proceedings of the 22nd Annual Symposium on the Theory 
of Computing, ACM, 1990. 

[BM02] M. Bellare, S. Micali and R. Ostrovsky. The true complexity of statis- 
tical zero-Knowledge. Proceedings of the 22nd Annual Symposium on the 
Theory of Computing, ACM, 1990. 

[Be Yu] M. Bellare and M. Yung. Certifying permutations: Non-interactive zero- 
knowledge based on any trapdoor permutation. Journal of Cryptology, Vol. 9, 
No. 1, pp. 149-166, Winter 1996. 

[Bl] M. Blum. Coin Flipping over the Telephone. IEEE COMPCON 1982, 
pp. 133-137. 

[BDMP] M. Blum, A. De Santis, S. Micali, and G. Persiano. Non-Interactive 
Zero-Knowledge Proof Systems. SIAM Journal on Computing, Vol. 20, No. 6, 
December 1991, pp. 1084-1118. 

[BlMi] M. Blum and S. Micali. How to generate cryptographically strong se- 
quences of pseudo-random bits. SIAM Journal on Computing, Vol. 13, No. 4, 
pp. 850-864, November 1984. 

[BrCr] G. Brassard and C. Crepeau. Non-transitive Transfer of Confidence: A 
perfect Zero-knowledge Interactive protocol for SAT and Beyond. Proceedings 
of the 27th Symposium on Foundations of Computer Science, IEEE, 1986. 

[BCC] G, Brassard, D, Chaum and C. Crepeau. Minimum Disclosure Proofs of 
Knowledge. J. Computer and System Sciences, Vol. 37, 1988, pp. 156-189. 

[BCY] G. Brassard, C. Crepeau and M. Yung. Constant round perfect zero 
knowledge computationally convincing protocols. Theoretical Computer Sci- 
ence, Vol. 84, No. 1, 1991. 

[FFS] U. Feige, a. Fiat, and A. Shamir. Zero-Knowledge Proofs of Identity. 
Journal of Cryptology, Vol. 1, 1988, pp. 77-94. 

[FLS] U. Feige, D. Lapidot, and A. Shamir. Multiple Non-Interactive Zero- 
Knowledge Proofs Based on a Single Random String. Proceedings of the 
31st Symposium on Foundations of Computer Science, IEEE, 1990. 

[PeSh] U. Feige and A. Shamir. Witness Indistinguishable and Witness Hiding 
Protocols. Proceedings of the 22nd Annual Symposium on the Theory of 
Computing, ACM, 1990. 

[Fo] L. Fortnow. The Complexity of Perfect Zero-Knowledge. In Advances in 
Computing Research, Ed. S. Micali, Vol. 18, 1989. 

[GoKa] O. Goldreich and A. Kahan. How to Construct Constant-Round Zero- 
Knowledge Proof Systems for NP. Journal of Cryptology, Vol. 9, No. 3, 1996, 
pp. 167-190. 

[GoKr] O. Goldreich and H. Krawczyk. On the Composition of Zero Knowledge 
Proof Systems. SIAM J. on Computing, Vol. 25, No. 1, pp. 169-192, 1996. 

[GMW] O. Goldreich, S. Micali and A. Wigderson. Proofe that yield nothing 
but their validity or all languages in NP have zero knowledge proof systems. 
Journal of the Association for Computing Machinery, Vol. 38, No. 1, July 
1991. 




305 



[GoOr] O. Goldreich and Y. Oren. Definitions and properties of zero-knowledge 
proof systems. Journal of Cryptology, Vol. 7, No. 1, 1994, pp. 1-32. 

[GoMi] S. Goldwasser and S. Micali. Probabilistic Encryption. J. Computer and 
System Sciences, Vol. 28, 1984, pp. 270-299. 

[GMR] S. Goldwasser, S. Micali and C. Rackopp. The knowledge complexity of 
interactive proof systems. SIAM J. on Computing, Vol. 18, No. 1, pp. 186- 
208, February 1989. 

[HILL] J. Hastad, R. IMPAGLIAZ70, L. Levin AND M. LUBY. Construction of a 
pseudo-random generator from any one-way function. Manuscript. Earlier ver- 
sions in STOC 89 and STOC 90. 

[ImLu] R. Impagliazzo and M. Luby. One-way Functions are Essential for 
Complexity-Based Cryptography. Proceedings of the 30th Symposium on 
Foundations of Computer Science, IEEE, 1989. 

[ImYu] R. Impagliazzo and M. Yung. Direct Minimum-Knowledge Computations. 

Advances in Cryptology - Crypto 87 Proceedings, Lecture Notes in Computer 
Science Vol. 293, C. Pomerance ed., Springer- Verlag, 1987. 

[ISl] T. ITOH AND K. Sakurai. On the complexity of constant round ZKIP of 
possession of knowledge. lEICE H'ansactions on Fundamentals of Electronics, 
Communications and Computer Sciences, Vol. E76-A, No. 1, January 1993. 
[Na] M. Naor. Bit Commitment using Pseudo-Randomness. Advances in Cryptol- 
ogy - Crypto 89 Proceedings, Lecture Notes in Computer Science Vol. 435, 
G. Brassard ed.. Springer- Verlag, 1989. 

[NOVY] M. Naor, R. Ostrovsky, R. Venkatasan, M. Yung. Perfect zero knowl- 
edge arguments for NP can be based on general complexity assumptions. Ad- 
vances in Cryptology - Crypto 92 Proceedings, Lecture Notes in Computer 
Science Vol. 740, E. Brickell ed., Springer- Verlag, 1992. 

[OsWi] R. Ostrovsky and A. Wigderson. One-way functions are essential for non- 
trivial zero-knowledge. Proceedings of the Second Israel Symposium on The- 
ory and Computing Systems, IEEE, 1993. 

[ToWo] M. Tompa and H. Woll. Random Self-Reducibility and Zero-Knowledge 
Interactive-Proofs of Possession of Information. Proceedings of the 28th Sym- 
posium on Foundations of Computer Science, IEEE, 1987. 

[Ya] A. C. Yao. Theory and Applications of Trapdoor functions. Proceedings of 
the 23rd Symposium on Foundations of Computer Science, IEEE, 1982. 

A Constant round ZK via coin flipping plus NIZK 

The protocol stated in Figure 1 as obtained by combining [Bl, FLS] is folklore. 
First use Blum’s coin flipping in the well protocol [Bl] to get a common random 
string, then do a NIZK [BDMP] proof, which cam be done with a trapdoor per- 
mutation [FLS, Be Yu]. In somewhat more detail, the first move is the verifier 
committing. For a four round ZK protocol we need a “certified one-way permu- 
tation.” (Based on algebraic assumption, e.g. Discrete Logarithm. An arbitrary 
trapdoor permutation won’t suffice.) After this the prover sends bits in the clear, 
the verifier de-commits, and the XOR of the prover bits and the verifier’s de- 
comitted bits is declcired to be the common random string. The non-interactive 
ZK (NIZK) proof is run on the latter. The reason the full protocol is an argu- 
ment, not a proof, is that the verifier’s first round committals are done using a 
computational assumption. 




Efficient Cryptographic Protocols 
Based on Noisy Channels 



Claude Crepeau* 



Depcirtement d’Informatique et R.O., 
Universite de Montreal, 

C.P. 6128, succurscile centre-ville, 
Montreal (Quebec), Ccuiada H3C 3J7. 
e-mail: crepeau@iro.umontreal.ca. 



Abstract. The Wire-Tap Channel of Wyner [19] shows that a Binary 
Symmetric Channel may be used as a basis for exchanging a secret key, 
in a cryptographic scenario of two honest people facing an eavesdropper. 
Later Crepeau and Kilimi [9] showed how a BSC may be used to im- 
plement Oblivious Transfer in a cryptographic scenario of two possibly 
dishonest people facing each other. Unfortunately this result is rather im- 
practiccil as it requires bits to be transmitted through the BSC to 

accomplish a single OT. The current paper provides efficient protocols to 
achieve the cryptographic primitives of Bit Commitment and Oblivious 
Transfer based on the existence of a Binary Symmetric Channel. Omr 
protocols respectively require sending 0(n) and O(n^) bits through the 
BSC. These results are based on a technique known as Generalized Pri- 
vacy Amplification [l] that allow two people to extract secret information 
from partially compromised data. 



1 Introduction 

The cryptographic power of a noisy channel has been demonstrated by Wyner 
[19] who showed that two honest parties, say A and B, can exchange a secret 
key on which an eavesdropper S may obtain only a small fraction of the infor- 
mation as long as A and B are connected by a Binary Symmetric Channel of 
better quality than a similar Channel connecting them to S. More recently, a 
result of Bennett, Brassard, Crepeau and Maurer [1] provides a technique called 
Generalized Privacy Amplification to ensure that ^’s information is an arbitrary 
small fraction of a bit under the same conditions. 

But cryptography is no longer interested solely in protecting communications. 
As a result of public-key cryptography, a large number of other cryptographic 
tasks have emerged. Examples of such tasks are Coin-flipping by telephone [3] 
and Mental Poker. These may involve two or more parties, some of which may 
be dishonest. The general concept of Distributed Function Evaluation was first 
introduced by Yao [20] and later extended to “Mental Games” by Goldreich, 
Micali and Wigderson [12]. 

* Supported in part by Quebec’s FCAR and Canada’s NSERC. 



W. Fumy (Ed.); Advances in Cryptology - EUROCRYPT ’97, LNCS 1233, pp. 306-317, 1997. 
© Springer- Verlag Berlin Heidelberg 1997 




307 



Distributed Function Evaluation and Mental Games are multi-party algo- 
rithms which involve secret data that the parties want to keep from one an- 
other. In the model where we are ready to accept computational assumptions, 
such general tasks can be achieved from basic assumptions such as the existence 
of a One-Way Trapdoor Function [12], 

The lesson derived in the computational model is that very simple protocols 
are sufficient to achieve the general ones. The two primitives known as Bit Com- 
mitment (defined in Section 3) and Oblivious Transfer (defined in Section 4) 
are elementary protocols that are sufficient in general to accomplish any Mental 
Games, even in a non-computational scenario [14, 8]. 

The current paper considers a scenario where only two people, A and B, are 
involved and where we put no limitation on their computing power. If we made 
no further assumption, it would be impossible to accomplish Mental Games. 
Thus, the extra assumption we make is that A and B are connected by a Binary 
Symmetric Channel (BSj), that is a channel that will change the value of a bit 
b with probability e as it travels from one party to the other. 

A first protocol to accomplish Oblivious Transfer from a Noisy Channel 
was presented in [9]. Unfortunately, that protocol is quite complex and requires 
bits sent through the BSC to perform a single Oblivious Transfer, where 
n is a security parameter that specifies the reliability of the protocol. As a con- 
sequence, any two-party computations may be performed from the assumption 
that there exists a reliable BSC. The current solution is by far more efficient than 
those suggested earlier. The current paper provides a protocol for Bit Commit- 
ment that uses 0{n) times the BSf and a protocol for Oblivious Transfer that 
uses O(n^) times that primitive, where n is a security parameter that specifies 
the probabilities of failure of the protocols. These probabilities are all exponen- 
tially small in n. 

2 General Tools 

2.1 Error Channel 

We consider a standard error model: the binary symmetric channel. In the binary 
symmetric channel A sends a bit to B that is flipped with probability e 

^ f i with prob. c 
®®'^"^ = \a:wrth prob. 1 - e. 

By extension, we also write BS£(ui) as ashorthand for BSf (u)i)BSf(tn 2 )---BSe(u;„) 
when (u = WiW 2 ...Wn is an n-bit word. Let H(e) = — elgc — (1 — e) lg(l — e) be 
the binary entropy function. We define the channel capacity of the BS^ to be 
G = l-H(e). 

A nice property of the binary symmetric channel is that it is totally symmet- 
rical between the participants: if B wants to send a bit x via BSf(») to A when 
it is only available from A to B, they can do as follows: 




308 



Protocol 2.1 ( BSt(z) ) 

1: A picks r {0, 1} and runs BSe(r) with B who gets r', 
2: B announces y x (B r' to >1, 

3: A returns y © r. 



In general, for the binary symmetric channel, any protocol may be inverted 
by permuting A and B and replacing BS^ by BS^. Therefore the protocols of 
sections 3 and 4 may be achieved from a noisy channel running either way. This 
is not the case with all channels. The following is an example of the opposite 
type. 

An alternative to the binary symmetric channel would have been to consider 
the erasure channel where bits are either received without errors, or coinpletly 
lost with probalities 1 — f and e. However this situation has been previously 
analyzed since the erasure channel is the same as Rabin’s Oblivious Transfer 
[16]. Protocols for Hit Commitment and (j)-OT using Rabin’s O.T. are available 
in [14] and [7]. 

2.2 Coding theory 

An \n,k,d\ linear code C is a linear subspace of {0,1}” of dimension k (and 
cardinality 2^ ) such that no two words cj , from C are such that (ci , 02 ) < d, 
except if ci = C 2 , where dn{x,y) is the Hamming distance between x and y: the 
number of positions where they differ. 

Such a code is defined as the linear combinations of the rows of a generating 
matrix G of dimension k x n. Alternatively, C may be defined as the kernel of 
a parity check matrix H of dimension n x [n — k). Knowledge of G or H is 
computationally equivalent as it is easy to get one from the other. 

For section 3 we need the well known fact [15, chap. 17, prob. (30)] that there 
exists a constant p > 1 such that a random binary matrix G of size Kn x n defines 
a binary linear code with minimal distance at least en except with probability 
not greater than , for values of R < C^. 

For section 4 we need codes that are efficiently decod able with high correction 
rate and high dimension. For this purpose we use concatenated codes defined in 
[11] that are efficiently encoded and decoded. Asymptotically, very long [n, Rn, d] 
concatenated codes maybe constructed in such a way that for every e > 0 there 
exists a constant p > 1 such that the codes fail to correct en errors except 
with probability not greater than for values of i? < C,, (although the 

minimum distance d may be somewhat smaller than en). Please consult [11] for 
more information on asymptotic performances of concatenated codes. 

In some situations the information transmitted is not a codeword. In such a 
case, as long as the syndrome syn{w) = H^w of a word w is known the decoding 
algorithm may be used to recover w from a noisy version of that word and the 
value of syn(w). Please consult [15] for more information on coding theory. 





309 



2.3 Generalized Privacy Amplification 

Let be a random variable uniformly distributed over {0, 1}" and let BSe(lV) 
be another random variable obtained from W through a binary symmetric chan- 
nel of error rate e, i.e. 

Prob [BS,(1P) = v\W = te] = (1 - 

Let G be a random variable taking values g : {0,1}” — >• {0,1}’’ uniformly 
distributed from a universal 2 class of hash functions [6]. It is shown in [1] that 

Theorem 1. For any J > 0 and all sufficiently large n, for s — n(H(e) — (S) — r 
/f(G(kF)|BS,(M^),G)>r-^. 

Moreover, according to [2, 5, 1] for the special case where we have a linear 
function syn : {0, 1}" — > {0, 1}‘ 

Theorem 2. For any a G {0, 1}', <S > 0 and all sufficiently large n , 
for s = n(H(f) — 5) — r 

H{G{W)\syn(W) = (r,BSe{W),G) > 

Since /f(G(lV)|syn(l'P) = <r, BSe(VP), G) = r means that no information about 
G{W) is given by syn{W) = c, BSe(kP), G, the above result is exponentially 
close to the best possible: the latter contains almost no information about G{W). 

3 Bit Commitment 

Assume that a party, A, has a bit b in mind, to which she would like to be 
committed toward another party, B. That is, A wishes, through a procedure 
BC(6), to provide B with a piece of evidence w that she has a bit b in mind 
and that she cannot change it (binding). Meanwhile, B should not be able to tell 
from that evidence what b is (concealing). At a later time, A can reveal, through 
an unveiling procedure UN(6,p), the value of b and prove through p to B that 
the piece of evidence sent earlier (w) really corresponded to that bit. 

Bit commitment schemes have several applications in the field of crypto- 
graphic protocols. In particular one can implement zero-knowledge proofs of a 
variety of statements using bit commitment schemes [13, 4]. The first implemen- 
tations of bit commitment schemes were given in a computational complexity 
scenario [3]. Unfortunately, proofs of their (computational) security have always 
required an unproven assumption since otherwise they would imply very strong 
results such as ’P MV. 

This section is inspired by that work of [5] to achieve Bit Commitment in 
the model of Quantum Cryptography. 




310 



3.1 Bit Commitment from Binary Symmetric Channel 

Intuition behind Protocols BC &: UN After establishing a proper error- 
correcting code, A sends a codeword from that code to B through the BSc- 
The code is such that B should have many candidates for A’s codeword after 
seeing it through the BSe- The secret bit of A is given by applying a random 
function from a universal^ class to the codeword. To unveil her bit, A discloses 
her codeword. She should not be able to announce two codewords that B will 
find close enough to the word he received to believe her. 



Formal Protocol Let e be the error probability of the channel, and 7 < 1 be 
a positive number. Let > 0 be such that H(e) — > H(7t) and such that 

(H(e) — S)n is an integer. The following protocols work for any value of e such 
that 0<e<l/2, in contrast to the protocols of Section 4. 



Protocol 3.1 ( BC(6) ) 

1: B chooses and announces I.0 A a binciry linear [n,fc,d]-code C 
with parameters k = {I — H(e) -t- ii)n and d > yen. 

2: A 

picks a random n-bit string m and announces it to B, 

- picks a random codeword c € d such that c © m = b, 

n 

- DO runs BSAcA with B who receives c', 

i=l 

- returns c,b. 

3: B sets c' •«- (c'iC2 . . .cjj) and returns (C,m,c'). 



B keeps c' secret forever, whereas A keeps b and c secret until (and if) unveiling 
takes place. If A subsequently decides to unveil her commitment, she initiates the 
next protocol with B. There exists a positive number A < 7(1/2 — e)/2 such that 
an honest A is likely to satisfy the following with overwhelming probability while 
a dishonest A is unable to open the commitment as both bits with overwhelming 
probability. 



Protocol 3.2 { UN(c,6),(C,m,c') ) 

1; if (c £ C) A (b = c 0 m) A (dn(c, c') < en -f An) 
then B accepts else B rejects. 



Details of the Protocol In the above Protocol BC we ask B to choose a code 
with specific parameters. The effect of these parameters on the security of the 
protocol explain why we require B to do this job and not A: the bigger d is, the 
more unlikely it is for A to cheat and the bigger k is, the more unlikely it is 







311 



for B to cheat. Coding theory give us limits on how big d and k can be at the 
same time. In order to have them as large as possible at the same time, the best 
construction known to this day is to pick the generating matrix of the code at 
random. Nevertheless, in this case the value of k is easy to figure out from the 
matrix (the rank of the matrix) while the exact value of d is more difficult to 
determine. All we know is that it is likely to be high. 

As discussed in Sect. 2.2, a random binary matrix G of size Rn x n defines 
a binary linear code with minimal distance at least en except with probability 
p{R-C^)n^ thus B has an exponentially small probability of having d too small 
when he picks a, k x n matrix at random. A can easily verify that the value of k 
is correct. 

The random vector m is used to define a Privacy Amplification Function of 

{o,ir to {0,1}. 



3.2 Analysis of the Protocol 



Concealing Let C and M be the random variables describing B’s possibilities for 
c and m. Before c is sent through the BSC, C is uniformly distribnted among 
all the possible codewords of C and M among all possible n-bit strings. Let 
0 < < <5. We are in the scenario of Theorem 2 with r = 1, t = (H(e) - <f)n, 

and s = (H(e) — (f')n — 1. We therefore conclude that seeing a codeword c through 
a BSC and learning m is not enough to know much about c(F)m-. 



Theorem 3. For any all sufficiently large n 



H{C Q M\syn{C) = (0, 0, ..., 0), BS,(C), M) > 1 - 



2(5^ — 5)ti + 1 



Binding An honest A sends a random codeword c through the channel. Con- 
sider the random variable rffl'(c, BSf(c)). It is clear that £'(dif(c, BSe(c))) = en 
and by Bernstein’s law of large numbers [17, Chap. VII, Sect. 4, Theorem 2] 
Prob [dff(c, BSe(c)) > en + An] is exponentially small in n for all A sufficiently 
small, and all sufficiently large n. A dishonest A sends any word w through 
the channel and later would like to claim Cq or Ci to unveil as 0 or 1. One 
of these, say Cj, is such that dH{cz,w) > ■)enj2. Consider the random variable 
dff{cz , BSe(u;)). It is easy to calculate that (cz, BSe(iw))) > en-|-7(l/2— e)n 
and by Bernstein’s law of large numbers Prob [dj/(cj, BSe(u;)) < en -I- 7(1/2 — f)n — An] 
is exponentially small in n for all A sufficiently small, and all sufficiently large n. 

Thus any A < 7(1/2 — e)/2 will satisfy our requirements that an honest A 
succeeds except with probability exponentially small in n, while a dishonest A 
succeeds to open both ways only with probability exponentially small in n. 




312 



4 Oblivious Transfer 

One-out-of-two Oblivious Transfer, denoted (f)-OT, is a primitive that origi- 
nates with [18] (under the label of “multiplexing”). According to this primitive, 
one party A owns two secret strings wq and w\, and another party B wants to 
learn Wc for a secret bit c of his choice. A is willing to collaborate provided that 
B does not learn any information about Wg, but B will only participate if A 
cannot obtain information about c. 

Similarly, in an Oblivious Transfer [16], A sends a message to B that is 
received with probability e (this fact is out of their control) while the message 
is otherwise lost. A does not find out what happened. B knows if he got the 
message or nothing. We note this protocol OT^. Independently from [18] but 
inspired by [16], (i)-OT was introduced suKsequently in [10] with applications 
to contract signing protocols. 

These two simple cryptographic tools have been extensively studied by sev- 
eral researchers because they turned out to be elementary blocks to build more 
elaborate cryptographic tasks known as “secure computations” . This idea intro- 
duced by Yao [20] allows A and B to compute a two- argument function on data 
they would like to keep secret from one another. They find out the output of the 
function but not their respective inputs. It was shown in a computational model 
that One-out-of-two Oblivious Transfer suffices to perform general secure com- 
putations by Goldreich, Micali and Wigderson [12] and later in an abstract (not 
necessarily computational) model by Kilian [14]. Crepeau showed [7] that indeed 
Rabin’s Oblivious Transfer can also do the job by describing a general technique 
to turn an Oblivious Transfer into a One-out-of-two Oblivious Transfer. The 
result of the current section is an extension of that technique. 

4.1 Oblivious Transfer from Binary Symmetric Channel 

Basic Idea For e > 1/2, simulate OT£(6) with protocol OTt(6) obtained by 
sending b twice through the BSC of error probability (p = ■ ~^2 ~ 
reduce (f)-OT to OTf(6) with a Protocol similar to that of [7]. 



Protocol 4.1 ( OTe(6) ) 

1: A nms BS^(6)BS,^(6) with B who receives 6obi, for p = 
2: if bo = bi then B returns bo else B returns e. 



The problems with this approach are that OTe(b) makes errors and that A can 
send bad pairs bb: if ^ is honest and sends bb through the binary symmetric 
channel then 

f (1 — p)"^ if X = b 
— < if a; = b 



‘lp{\ - p) 



if X = £ 



Prob OTf(b) = x 





313 



B receives a bit with probability t = + (1 — <p)^. If instead A is dishonest 

and sends bb or bb through the binary symmetric channel then the probability 
that B receives a bit is 1 — e = 2y>(l — ip). If no extra checks are performed, A 
could send bad pairs and figure out in Protocol 4.2 which set is good and which 
set is bad by the fact that good pairs are more likely to have been received. 

The errors are first solved (in Protocol 4.2) by the same trick as in [2] using 
codes to fix them, while the cheating by A is later taken care of (in Protocol 
4.3) by running statistics on the frequency of bb pairs. Protocol 4.2 introduces 
another kind of cheating A could perform that is also solved in Protocol 4.3. 



Intuition behind Protocol (^)-OT For this first protocol we assume A 

behaves honestly and will remove this assumption in the final protocol. The idea 

of the first protocol is that A sends 2n random bits ri, r2, ..., r2„ to B using OT^. 

B should receive roughly 2en of these and lose 2(1 — e)n. B forms two sets Iq, h 

of size n and thus defines two strings of size n (r' restricted to /o and 7i). 

String r/^ should be entirely known by B, while string rj. should be partially 

unknown by B. Nevertheless, because OT^ is imperfect, we expect an average 
2 

of differences between rr, and r', . 

6 c ic ^ 

A code is established between the parties to correct more than errors 
except with exponentially small probability in n. 

The errors are corrected by having A send the syndrome of the two words 
syn{ri^),syn{ri^). Using r'j^ and syn{rj^), B may recover except with small 
probability of failure. Nevertheless, this correction information is not sufficient 
to find out both words accurately, as long as the dimension of the code 

is somewhat greater than en. 

A privacy amplification function is finally used to extract one secret bit per 
string, so that one bit may be recovered by B but not both. This function is the 
scalar product by a random n-bit word m. 

In complete Protocol Let 7 be a number greater than 1. 

Protocol 4.2 ( (j)— OT(6o, 6i)(c) ) 

2n , 

1: DO A picks a random bit ri and rims OT«(r,) with B who gets r,. 

2: B picks and sends two random disjoint sets /o,/i s.t. |/o| = |/i| = n, and 
(Vi e Ic [r,' # c]). 

3: A cind B agree on a parity check matrix 77 of a concatenated code C 
with parameters [n,fe > (e + J)n,d] correcting y^n errors. 

4: A 

— computes and sends so <— syn{rjg) eind si <— syn(r/, ), 

— picks and sends a random n-bit word m, 

— computes and sends 60 <— ® (ui © and bi <— bi 0 (m © r/j). 

5: B 

— recovers rj^ using r)^,Sc and the decoding 2dgorithm of C, 

— computes and returns be 0 {m 0 rr„). 




314 



Details and discussion of Protocol (j)-OT The code used for this protocol 
requires the extra property that it must be efficiently decodable. This can be 
done by using concatenated codes. For <p < 0.1982 the conditions of Step 3 can 
be satisfied. Therefore, contrary to Protocol BC, this new protocol works only 
for reliable enough channels BS^ (not for all ^p). 

B is unable to cheat this protocol because whatever way he splits the “good” 
bits (r- 5/: e) between /o,A, he will not be able to put more (e + S/2)n good 
bits in at least one of Iq or Ii. Since A; > (e + S)n then syn(rj^),syn{ri^) each 
contain n — k bits of information, i.e. no more than (1 — e — J/2)n bits. Thus, 
at least one of the two words will be undetermined by at least Jn/2 = 

n — {\-\-6)nj2 — [\/2—6)n bits. Using privacy amplification, this word will contain 
an exponentially small amount of information about its related bit. Therefore, 
B cannot learn both of >l’s bits. 

Unfortunately, A can cheat this protocol in two different ways that allow her 
to figure out S’s secret input c: at Step 2 A can send “bad” pairs rifi or rjC,- 
instead of rjC; increasing the probability that it is lost (r( = e) hy B and at 
Step 4 she can send a “bad” syndrome leading S to a decoding error. In the first 
cheat, “bad” pairs are more likely to end up in the “bad” set thus indicating 
to A which one is more likely to be the “good” and “bad” sets. In the second 
cheat, if A makes only one syndrome bad then B might have to abort depending 
on which bit he is trying to get. Protocol 4.3 solves these two problems. 

Intuition behind Protocol (^)-OT The general idea of this new protocol is 
to repeat Protocol (j)-OT several times for random and C( and combine 

these instances in such a way to greyent ^’s cheating as above. 

More precisely. Protocol (j)-OT is repeated times. We combine the 
instances of (^)-OT in such a way that A must cheat in each instance if she wants 
to discover the value of c. Protocol OT is used a total of 2n^ times. In order to 
obtain information A must send at least bad pairs in these protocols. This 
will make a statistical difference that will be detected with probability almost 
1. If ^ uses less than bad pairs, she finds out nothing about c. Similarly, 
if A sends bad syndromes in protocol (^)-OT with probability 1/2 she will be 
detected by B because he reads according to a random choice. If she uses 0{n) 
such syndromes it is almost certain that B will detect her cheating. 

Let n be an odd number. The instances are combined by requesting that 

h,o 0 f'r.i = l>o 0 61 for 1 < / < n”. Let 60,0 = and 60,1 == These 

^=1 t=i 

requirements cause that for z = ^^c^. Thus in order to find out 

f=i e=i 

which of 60,0 or 60,1 B is trying to get, A must find out all the C(. 



Pull Protocol Let 7 be a number greater than 1 and n be an odd number. An 
extra index £ is added to each variable of the iteration of (j)-OT. 




315 



Protocol 4.3 ( (f)“OT(6oi ^i)(c) ) 

1 : A picks random bits 61,0,62.0, and sets 6r,i t— 60 0 61 ©6< o, for 

1 < ^ < 

2 : B picks rcindom bits ci , C2, ...,c„2. 



3 : DO 

/=} 



1 . A runs (j)-OT(6<.o, 6/,i )(c<) with B who gets 6^, 

2 . if , r'l ,^ ) > y^n then B aborts. 

4 : if ^#{f, i I rj , e} < 2 en® - then B aborts 

else B computes and sends c' <— c 0 I ct j ■ 

\<=l / 

/ ""* \ 

5 : A computes and sends 6 q t— 60 0 I j and 61 <— 61 

\'=> / 

to B. 

( 

6 : B computes eind returns be © I 6< 




Details of the Protocol The test of Step 3.2 is to decide if the syndrome 
sent by A was valid. The value 7^n is the scope of the decoding algorithm of 
the concatenated code. If the decoded word was further than this distance then 
clearly the syndrome was wrong. If the test of Step 4 is negative then B is almost 
certain that A has not cheated times over the 2n^ transmissions. 



4.2 Analysis of the protocol 



r 0 if 7*^' • — C 

Let Zij = I ^ jf j!i’[ ^ g ■ When A sends valid pairs rij-r,- j in Protocol 4.3 clearly 

( n^ 2n \ 

ES Zj J I = 2 en^. On the other hand, if A wants to take advan- 
:=lj=l / 

tage of this kind of cheating, she must cheat in each of the iterations of the 
protocol (if not she will loose completely one of the ci and thus c). In that case 

( n^ 2n \ 

E < e(2n^ — n^) + (1 — e)n^ = 2en® - (1 — 2<^)^n^. 




316 



Theorem 4. There exists a constant p < I with the following properties: when 
A does not use "bad” pairs then 



Prob 



n‘‘ 2n 






< p 



j 1 = 1 jz=l 

whereas, when she cheats times, 



Prob 



2n 



Y1 > 2e« S ^ 



<P" 



i-l j = l 



Proof (sketch). Follows from Bernstein’s law of large numbers. 

Thus, except with exponentially small probability, an honest A will pass the 

test of Step 4 while a dishonest A will fail that same test. 

2 

If A is honest, the probability that more than j^n errors occur during 
transmission by accident is exponentially small. Thus an honest A who sends 
correct syndromes, is unlikely to fail the test of Step 3.2 while a dishonest A 
who deliberately sends a wrong syndrome will be detected with probability 1/2, 
if B happens to use that syndrome at random. 

Finally, for the same reasons discussed in Sect. 3.2, because of Privacy Ampli- 
fication B cannot obtain information about both 6o and 6i through the instances 
of protocol (J)-OT. 



5 Conclusion and Open Question 

We have obtained two new protocols for the cryptographic primitives of Bit 
Commitment and One-out-of-Two Oblivious Transfer based on the existence of 
a BSC using Privacy Amplification. The protocol for BC requires 0(n) uses 
of the BSC, while the protocol for (j)-OT requires O(n^) uses of the BSC. 
If we combine these protocols with the protocol of Crepeau, van de Graaf and 
Tapp [8] for Private Multi-Party Computation to achieve any two-party function 
evaluation which requires O(n^) BCs and 0(n) (j)-OT per gate, we end up with 
a protocol requiring a total of 0(n'’) uses of the BSC per gate of the computation. 
Our main open question is to obtain (j)-OT with only O(n^) uses of the BSC 
and thus any two-party computation at a cost of O(n^) uses of the BSC per 
gate. Another open question is to find an equally efficient protocol for (f)-OT 
using a BSe for values of e above 0.1982. 



6 Acknowledgments 

We thank Gilles Brassard, Jeroen van de Graaf, Joe Kilian, Ueli Maurer, Alain 
Tapp, and Louis Salvail for support, suggestions and comments on this work. 




317 



References 

1. C.H. Bennett, G. Brassard, C. Crepeau, cuid U.M. Maurer. Generalized Privacy 
Amplification. IEEE Transaction on Information Theory, Volume 41, Number 6, 
November 1995, pp. 1915-1923. 

2. C. H. Bennett, G. Brassard, C. Crepeau, and M.-H. Skubiszewska. Practical quain- 
tum oblivious transfer. In Advances in Cryptology: Proceedings of Crypto ’91, Lec- 
ture Notes in Computer Science, Vol. 576, pages 351-366. Springer- Verlag, 1992. 

3. M. Blum. Coin flipping by telephone. In Proceedings of IEEE Spring Computer 
Conference, pages 133-137. IEEE, 1982. 

4. G. Brassard, D. Chaum, and C. Crepeau. Minimum disclosure proofs of knowl- 
edge. Journal of Computer and System Sciences, 37:156-189, 1988. 

5. G. Brassard, C. Crepeau, R. Jozsa and D. Langlois, “A quantum bit commitment 
scheme provably unbreakable by both parties,” Proceedings of 3fth IEEE Sympo- 
sium on Foundations of Computer Science, 1993, pp. 362-371. 

6. J.L. Carter and M. N. Wegman, “Universal classes of hash functions”. Journal of 
Computer and System Sciences, Vol. 18, 1979, pp. 143-154. 

7. C. Crepeau. Equivalence between two flavours of oblivious transfers (abstract). 
In C. Pomerance, editor, Advances in Cryptology: Proceedings of Crypto ’87, 
pages 350-354, Springer-Verlag, 1988. 

8. C. Crepeau, J. van de Graaf and A. Tapp. Committed Oblivious Transfer and 
Private Multi-Party Computations. Advances in Cryptology: Proceedings of Crypto 
’95, August 1995, pp. 110-123. 

9. C. Crepeau and J. Kiliein. Achieving oblivious transfer using weakened security 
assumptions. In 25'^ Symposium on Foundations of Computer Science, pages 
42-52. IEEE, 1988. 

10. S. Even, O. Goldreich, and A. Lempel. A randomized protocol for signing con- 
tracts. In R. L. Rivest, A. Shermein, and D. Chaum, editors. Proceedings CRYPTO 
82, pages 205-210, Plenum Press, New '^ork, 1983. 

11. Forney, G. D., Concatenated Codes, The M.I.T. Press, 1966. 

12. O. Goldreich, S. Micali and A. Wigderson, How to play any mental game, or: 
A completeness theorem for protocols with honest majority In Proc. 19th ACM 
Symposium on Theory of Computing, pages 218-229, ACM, 1987. 

13. O. Goldreich, S. Micali, and A. Wigderson. Proofs that yield nothing but their 
vahdity, or All languages in MV have zero-knowledge proof systems. Journal of 
the ACM, 38:691-729, 1991. 

14. J. Kiliem, Founding cryptography on Oblivious transfer, 20^^ ACM Symposium on 
Theory of Computation, 1988, pp. 20-31. 

15. F. J. MacWilliams and N. J. A. Sloane. The Theory of Error- Correcting Codes. 
North-HoUand, 1977. 

16. M.O. Rabin, How to exchange secrets by oblivious transfer. Technical Memo 
TR-81, Aiken Computation Laboratory, Hcirvard University, 1981. 

17. A. Renyi, Probability Theory, North Holland, 1970. 

18. S. Wiesner. Conjugate coding. SIC ACT News, l5(l):78-88, 1983. Mcinuscript 
written circa 1970, unpublished until it appeared in SIGACT News. 

19. A. D. Wyner, “The wire-tap channel”, Bell System Technical Journal, Vol. 54, 
no. 8, 1975, pp. 1355-1387. 

20. Yao, a. C.-C., “Protocols for secure computations”. In Proceedings of the 23rd 
Annual IEEE Symposium on Foundations of Computer Science, November 1982, 
pp. 160- 164. 




Rapid Demonstration of Linear Relations 
Connected by Boolean Operators 



Stefan Brands 

DigiCash, Kruislaan 419, NL-1098 VA Amsterdam, The Netherlands. 
El-mail: brandsSdigicash . com 



Abstract. Consider a polynomial-time prover holding a set of secrets. 
We describe how the prover can rapidly demonstrate any satisfiable 
boolean formula for which the atomic propositions axe relations that 
axe linear in the secrets, without revealing more information about the 
secrets than what is conveyed by the formula itself. Our protocols sup- 
port many proof modes, and axe as secure as the Discrete Logarithm 
assumption or the RSA/factoring assumption. 



1 Introduction 

Consider a polynomial-time prover that has committed to a vector of secrets 
and wants to demonstrate that the secrets satisfy some satisfiable formula from 
propositional logic, where the atomic propositions are relations that are linear 
in the secrets. An example formula is 

((5xi - 3x2 = 5) AND {‘2x2 + Srcg = 7)) OR (NOT(a;i -f = 5)) , 

where {xi,. . . ,Xk) is the prover’s vector of secrets. The prover does not want 
to reveal any more information about its secrets than what is conveyed by the 
formula itself. Can a truly practical protocol for this task be constructed? 

In this paper we will show that truly practical protocols exist, assuming the 
intractability of the Discrete Logarithm problem or the RSA/factoring prob- 
lem. Our protocols can be performed in all manner of proof modes, including 
four-move zero-knowledge proofs, three-move witness-hiding proofs, interactive 
or non-interactive signed proofs that are provably secure in the random oracle 
model, limited-show proofs, multi-prover proofs, and blinded and restrictively 
blinded signed proofs. 

Our results are organized as follows. Section 2 discusses preliminary notions 
and reviews basic results. Related work is discussed in Section 3, In Section 4 we 
introduce our techniques for rapidly demonstrating linear relations connected by 
boolean operators. We conclude in Section 5. 

2 Preliminaries 

Throughout this paper, the polynomial-time prover and the (not necessarily 
polynomial-time) verifier are denoted by V and V, respectively. The symbol 
“4—” is used to denote assignment, and | ■ j denotes binary length. The symbol 
and the word “random” indicate an independent and uniformly random 



W. Fumy (Ed.): Advances in Cryptology - EUROCRYPT ’97, LNCS 1233, pp. 318-333, 1997. 
© Springer- Verlag Berlin Fleidelberg 1997 




319 



choice, and we allow distributions that are computationally indistinguishable 
for polynomially bounded V and statistically indistinguishable for unbounded 
V. Whenever we say that V is able to prove knowledge, we imply the existence 
of a knowledge extractor that outputs a witness when having oracle access to V. 

Our techniques can be based either on the Discrete Logarithm assumption 
or on the RSA/factoring assumption. We now discuss preliminary notions and 
basic cryptographic results for these two settings. 



2.1 Discrete Logarithm Setting 

Set-up. V and V initially agree on a cyclic group of order q, denoted by Gq, 
where q is an integer. Efficient algorithms must be available for recognizing, 
testing equivalence of, and multiplying numbers in Gg. Without loss of generality 
it is assumed that q uniquely identifies Gg. Additionally, A: > 1 generators, 
9 i) ■■■ , 9 k, of Gq, are agreed on; we call { 91 ,- ■■ ,9k) a generator-tuple. Prom now 
on, an integer in the Discrete Log setting is said to be “small” if it is polynomial 
in l^’l, and “large” otherwise. 

Using the terminology of [6, 7], a representation of a number h £ Gq with 
respect to { 91 , • ■ ■ ,9k) is a vector of numbers, (xj , . . . ,Xk), such that 

h-U9r, 

i=l 



where xi,. . . ,Xk are in Xq. 

Intractability of Collision-Finding. For the security of V it is important 
that V cannot know more than one representation of the same number, since it 
serves as a commit on 'P’s secrets. For the purpose of the following proposition, 
which has been proved by Chaum, van Heijst and Pfitzmann [14] for constant 
k, and by [6, page 16] more generally^ for all small k, we assume that q is gener- 
ated according to a probabilistic polynomial-time algorithm (the “DL-instance 
generator”) that, on input a security parameter, outputs a triple {q,9, h), where 
g and h are generators of Gq . 

Proposition!. Consider the case that q, as output by the DL-instance gen- 
erator, is always a prime, and k is small. Assuming that the Discrete Loga- 
rithm problem is intractable over the DL-instance generator, there cannot exist 
a polynomial-time algorithm that, on input q (having a distribution that is in- 
distinguishably close to that of q induced by the DL-instance generator) and a 
randomly chosen generator-tuple [gi,.. ■,9k), outputs with non-negligible proba- 
bility of success a number h E Gq and two different representations of h. 

^ Bellare, Goldreich and Goldwasser [2] noted that the reduction can be modified to 
achieve a success probability for the Discrete-Logarithm finder that is within a con- 
stant factor of that of the collision-finding oracle, instead of being inversely propor- 
tionate to k. Specifically, their modification achieves a constant factor 1/2, instead of 
2/fc. Note, however, that the optimization mentioned in [6, page 17] already achieves 
this (the constant factor is 1/2 -f l/(2fc)). 




320 



In case the invulnerable DL-instance generator outputs composite g’s, it may be 
easy to find collisions. In particular, as noted by Chaum et al. [13, page 13], if 
r is a small prime factor of q then one can easily find collisions, by raising the 
generators in the generator- tuple to the power qjr and computing their relative 
Discrete Logarithms in the subgroup of order r. As in Stinson [32, page 239], 
one can alleviate this situation if q/r is a large prime (or a composite that is 
infeasible to factor) by restricting the elements xi , . . . , Xfc of a representation to 
be in Alternatively, we can consider a DL-instance generator that outputs 

q’s that have only large prime factors; finding collisions then requires one to 
break the Discrete Logarithm problem in Gq or to factor q. In addition, as in 
Brickell and McCurley [12], one can let the Qi’s be generators of a non-trivial 
subgroup of Gq. 

To guarantee V’s security one should generate the elements of the set-up 
in accordance with the probability distributions of the appropriate DL-instance 
generator, depending on which form of q's one is interested in. The set-up should 
be generated by V itself, in a mutually random fashion between V and "P, by a 
party trusted by V or liable for security breaks by V, or in any other manner 
that ensures that V cannot find collisions for the generated instance. 

Proving Knowledge. Our results in Section 4 can be based on any proof 
of knowledge (see Bellaie and Goldreich [1]) of a representation. For practical 
purposes we are interested in highly efficient protocols that offer a wide range of 
proof modes. The following generic protocol enables V, for any m with 1 < m < 
k, to demonstrate knowledge of a representation, (a;i , . . . , Xm) (its secret key), of 
a number h E Gq (its public key) with respect to a generator-tuple, {gi, - ■■ ,9m)- 
We assume for the moment that q is a prime. 

Step 1. V generates at random m numbers lOi, . . . ,Wm '^g, and sends a t— 
n™i5rtov. 

Step 2. P computes m responses, responsive to a challenge c € according 
to r, ■(— cXi •+■ Wi mod q, for i = 1, . . . ,m, and sends them to V. The process 
of generating c and the size of t determine the proof mode of the protocol; 
in the appendix several proof modes of particular relevance are discussed. 
Step 3. V accepts if and only if Ilili 9i' ~ “• 

One can also consider the above protocol for q's that are not prime, and in 
particular for all the forms discussed in the preceding subsubsection. Of course, 
this has ramifications with respect to the proof modes and/or the intractability 
assumptions needed for security. 

Rapid Computations. Rapid evaluation of can be performed us- 

ing simultaneous repeated squaring (see Knuth [23, exercise 27, page 465]). For 
efficiency one can, for all 2™ subsets of {^i, . . . , 9m}, precompute the product of 
the Qi's in the subset, and store the products in a table. With 1 < / < m, the 
product nUi 9i' computed using d = [m/^] precomputed tables, using 

simultaneous repeated squaring for each of the d sub-products and multiplying 
the sub-product results. Several variations and optimizations of this basic tech- 
nique are known in the literature. For example, one can process j > 1 exponent 
bits at once; the size of the precomputed table then increases by a factor , 

while the workload decreases by approximately a factor j. 




321 



2.2 RSA Setting 

Set-up. V and V initially agree on a group Z* , where n = pq and p and q are 
distinct primes. They also agree on an integer, v. Additionally, A: > 1 numbers, 
Qi, . . . ,Qk, all in Z„, are agreed on. Ftom now on, an integer in the RSA setting 
is said to be “small” if it is polynomial in |nj, and “large” otherwise. 

A representation of a number h in Z„, with respect to {gi, . . . ,gk,v), is a 
vector of numbers, (xi, . . . ,Xfc,x*+i), such that 

k 

h= modn, 

i=l 

where Xk+i is in and xi, . . . ,X(t are in Z„. 

Intractability of Collision-Finding. For the security of V it is important 
that at least V cannot know more than one representation of the same number. 
For the purpose of the following two propositions, we assume that n is gener- 
ated according to a probabilistic polynomial-time algorithm (the “RSA-instance 
generator”) that, on input a security parameter and an integer v, outputs a pair 
{n,y Q Z„). For any integer w > 2, we can consider the problem of extracting 
u-th roots modulo n; this is called the RSA problem for that particular v. 

Proposition 2. Suppose that v is a prime that is co-prim, e to <p{n), and that 
k is small. Assuming that the RSA problem for v is intractable over the RSA- 
instance generator, there cannot exist a polynomial-time algorithm that, on in- 
put n (having a distribution that is indistinguishably close to that of n induced 
by the RSA-instance generator) and randomly chosen (pi, . . . ,9k), outputs with 
non-negligible probability of success a number h 6 Z„ and two different repre- 
sentations of h with respect to {gi, ■ ■ ■ ,gk,v). 

Sketch of proof. To compute mod n, on input y & 1 j*^, construct each gi 
as y^'Si mod n, for Vi En and s» En Z*. If the oracle output is correct, a 
relation of the form y* = u” mod n can be computed, for known t £ and 
u e Z* , and from this y'/” mod n can be computed. 

Note that if p and q are random primes of equal size, then a random ele- 
ment in Z* has small order with negligible probability; see H^tad, Schrift and 
Shamir [21, Proposition 1], 

Other choices of v are possible as well. For example, in case v is small and 
not co-prime to <p{n), according to Ohta and Okamoto [25, Theorem 1] it is as 
hard to compute n-th roots as to factor the modulus. By restricting the pj’s and 
Xk+i in the definition of a representation to n-th residues, one can prove the 
difficulty of finding collisions for v’s of this particular form in a likewise manner. 
The following result shows that this also holds for large n of a special form. 

Propositions. Consider the case in which n = 2*, for any integer I, and the 
RSA-instance generator always outputs Blum integers (i.e., p and q are congru- 
ent to 3 mod 4). Furthermore, restrict the number x^+i in a representation to be 
a quadratic residue. Assuming that the factoring problem is intractable over the 




322 



RSA-instance generator, there cannot exist a polynomial-time algorithm that, 
on input n (having a distribution that is indistinguishably close to that of n in- 
duced by the RSA-instance generator) and randomly chosen quadratic residues 
ioij ■ ■ -,9k), outputs with non-negligible probability of success a number h £ 
and two different representations of h with respect to [g\, ■ ■ ■ , 9 k,v). 

Proving Knowledge. Our results in Section 4 can be based on any proof of 
knowledge of a representation. The following generic protocol is very efficient 
and offers a wide range of proof modes. For any m with 0 < m < fe, the protocol 
enables V to demonstrate knowledge of a representation, {x\,. .. ,Xm,Xm+\), of 
a number h € with respect to {g^,. . . For the moment, we assume 

that u is a prime that is co-prirne to tp{n). 

Step 1. V generates at random m numbers wi,. . . , £-ji Z^,, and a number 
u>m+i Z„. P computes a •«— gj"' - - • ™od n, and sends a to V. 

Step 2. V computes m + 1 responses, responsive to a challenge c £ Z 21 , accord- 
ing to r, <r- cXi -\- Wi mod v, for 1 < * < m, and 

m 

J’m+I <- mod n, 

i=J 



and sends them to V. 

Step 3. V accepts if and only if (111=1 ffP) ' ^m+\ — *^od n. 

All the proof modes for the proof of knowledge discussed in the Discrete Log- 
arithm setting apply here as well, with the obvious modifications. If m = 0 we 
have the Guillou-Quisquater protocol [20] and if m = 1 the Okamoto proto- 
col [26, page 39]. 

By making minor adjustments to the above protocol, we can use v’s that are 
not prime and/or not co-prime to <^(n). In all these cases, one has to restrict 
the set from which the g(s and Xm+i £uid Wm+i are chosen, to avoid leakage 
of information about V’s representation; similar adjustments as discussed in 
the preceding subsubsection can be made. Note, however, that if 1 ; is a large 
composite with a small prime factor, u, and it is feasible to randomly generate 
u-th residues without knowing a u-th root, then V can convince V in the three- 
move protocol with non-negligible success probability (specifically, 1/u if u/u has 
no small prime factors, and larger otherwise) without knowing a representation 
of h with respect to (pi , . . . , gt, u); for these u’s, another protocol should be used. 



3 Related Work 

A constant-round zero-knowledge argument for our task can be constructed by 
properly reducing the boolean formula that is to be demonstrated to an instance 
of the NP-complete language Directed Hamiltonian Cycle, and applying the zero- 
knowledge argument of knowledge of Feige and Shamir [18]. However, techniques 
such as this are not practical, because they amount to encoding the statement 
into a boolean circuit and using commitments for each gate. 




323 



By restricting q in the Discrete Logarithm setting to be a prime, one can 
define a relation, R = generator-tuple 

(ffij • • • ,9k) and any vector of coefficients (ai, . . . ,a/t) € (Z,)*’ \ {0}*, as follows: 

fc k 

{{h,b), [xi,...,xk)) e R 44- h = ]~[ gf’ and b~y^ ajXj mod q 

i=l i=l 

The corresponding language is easily seen to be random self-reducible. In the 
RSA setting, for v a prime that is co-prime to ip{n), a random self-reducible 
language can be defined in a similar manner. Now, by applying the construction 
of Tompa and Woll [33] one gets a perfect zero-knowledge proof of knowledge 
for both languages, but these protocols use binary-valued challenges and re- 
quire polynomially many rounds. For the special case k = 3 and b = xi + X 2 + 
mx 3 mod q, and fo is an undeniable signature of P on a message m of the (unlim- 
ited powerful) V, this construction has been used for signature confirmation by 
Chaum et al. [14]. We remark that it is straightforward to improve the protocols, 
by using a large challenge domain and prepending a move in which the verifier 
commits to its challenge (note that this improvement has been overlooked by 
Chaum et al. [14]), but the resulting protocols remain less efficient than ours. 
Moreover, our protocols facilitate many other proof modes. 

De Santis, Di Crescenzo, Persiano and Yung [17] show how to prove any 
monotone formula over a random self-reducible language (Cramer, Daragard 
and Schoenmakers [15] independently discovered virtually the same technique). 
If a monotone formula has m logical connectives, then this technique requires the 
prover to perform m proofs of knowledge, one for each sub-formula. In contrast, 
our “AND” technique has the property that the communication complexity for 
both the prover and the verifier slightly decreases as the number of “AND” 
connectives increases, and the computational complexity is virtually unaffected. 
Moreover, the technique of De Santis et al. uses binary-valued challenges, and 
thus polynomially many repetitions are needed. 

Furthermore, the technique of De Santis et al. and Cramer et al. applies only 
to monotone boolean formula, while we have a very efficient “NOT” technique. 
Chaum et al. [14] describe a perfect zero-knowledge protocol for the “NOT” of 
their special relation, b = xi X 2 + mxz mod q, but this protocol inherently 
works for binary-valued challenges only. Moreover, in each iteration the signer 
must compute seven commitments, requiring many exponentiations in G,,, and 
it is unclear how to efficiently construct other proof modes. 

Another important difference is in the scenario that is considered. Namely, 
De Santis et al. and Cramer et al. consider a situation in which there are many 
different public keys, and V demonstrates (in zero-knowledge) that it knows the 
secret keys corresponding to some of these. In contrast, we are concerned with 
the situation in which the prover knows a single public key, and demonstrates 
that its secret key satisfies a certain formula. 

4 Demonstrating Boolean Formulae for Linear Relations 

In this section we describe our proof techniques for “AND,” “NOT” and “OR” 
connectives, respectively, and then show how to combine them in order to demon- 




324 



strate arbitrary boolean formulae. Without loss of generality we base our discus- 
sions on the Discrete Logarithm setting, and for the RSA setting describe only 
the necessary adaptations. Note that if A: = 1, then V can verify for any boolean 
formula directly whether the secret of V satisfies it, and so from now on we only 
consider the case k> 2. 



4.1 Formulae with only “AND” connectives 

We first consider the situation in which V has to demonstrate a satisfiable for- 
mula with zero or more “AND” connectives. At the outset, V has committed to a 
set of secrets, (a:i , . . . , Xk), by sending a number h € G, to V, where (ajj , . . . , Xk) 
is a representation of h with respect to (pi, . . . , g*,). Without loss of generality, 
we assume that V has to demonstrate to V that this representation satisfies the 
following system of Z > 1 independent linear relations: 



an . . . ai^k-i 1 0 . . . 0 
0:21 ■ • • 02,*:-/ 0 1 . . . 0 

0/1 ... aik-i 0 0 . . . 1 



mod q. 



The coefficients aij, for 1 < i < I and 1 < j < k — I, are elements of and 
7t( ) is a permutation of {1, . . . , k}. The corresponding boolean formula is: 

(6i = oiia:„(i) H h Qi,*:_/x^(*._/) +x^(k-i+i) mod q) AND . . . 

. . . AND {b[ = a/ix,r(i) + • ■ - + o/,*:-/a;,r{fc-/) + x^^k) mod q). (2) 

Note that the atomic proposition is the special case / = 1. 

Our technique for demonstrating formula (2) is based on the following result. 

Proposition 4. V can demonstrate knowledge of a representation of 






with respect to 



(sttII) JJ 5,r(*:‘l/+i)i •••1 5 jt(*:-/) Jj5„(*;l/+j)) 

i=l i=l 

if and only if it knows a set of secrets that satisfies the formula (2). 

The proof follows straightforwardly, by considering the relations that are satisfied 
by the output of the knowledge extractor. Note that the tuple in Proposition 4 
is a generator-tuple with overwhelming probability in case q is a prime and the 
prover selects the matrix entries, ay, and can always be guaranteed to be so 
when the matrix entries are determined by V. 

We can efficiently implement the protocol by using the proof of knowledge for 
Discrete Logarithm representations described in Section 2. An important benefit 
of using this protocol is that one can expand the resulting expressions, so that 
V and V can use a single precomputed table for simultaneous repeated squar- 
ing, independent of the particular formula that is demonstrated. The resulting 
(generic) protocol steps are as follows; 




325 



Step 1. V generates at random k — I numbers, wi, . . . ,Wk-i €-r Z,, and com- 
putes 

k — I I — i 

^ jTJ TT .. ^3=1 

11 ^Tr(i) xi. ^jr(fc~i+») 

i=zl i=l 

V then sends a to V. 

Step 2. V computes a set of responses, responsive to a challenge number c in 
Z 2 < , as follows; 

Ti t- ca:,r(j) + Wi mod q, Vi € {1, . . . , fc - /}. 

V then sends (rj , . . . , r*_;) to V. 

Step 3. V computes 

k-l 

Tk-i+i t- ci)i - ^ aijVj mod q, Vi € {1, . . . , 

i=i 

and accepts if and only if 

i=l 

The particular proof mode of the protocol is “inherited” from the mode in which 
the underlying proof of knowledge is performed, and a further discussion is there- 
fore omitted here. Note, however, that special care must be taken for signed 
proofs: the transcript of a protocol execution is always convincing of the fact 
that V knows a set of secrets corresponding to h, but convinces of its conformity 
with the demonstrated formula only when a uniquely identifying description of 
the demonstrated formula is hashed along (or when the ’s and the 6,’s are all 
restricted to sets that are negligible in the range of the hash function). 

To base the proof on the RS A /factoring problem, consider V having to prove 
the system of linear relations (1), but with “mod v” replacing “mod g.” We 
assume that V has committed to a set of secrets, (a;i, . . . , a;*,), by sending h t— 
■ ■ ■ 9k’’^k+i ^ for some Xk+i in Z* . 

Propositions. For any integer v >2, V can prove knowledge of a representa- 
tion of 

i 

i=l 

with respect to 

i i 

(.9.(1) n “od n, . . . , g^^k-l) J] 9^il-T+i) ' 

1 i— 1 

if and only if it knows a set of secrets that satisfies the formula. 

By using the efficient proof of knowledge for the RSA setting described in Sec- 
tion 2, again expanding the resulting expressions, a single precomputed table 
can be used for simultaneous repeated squaring; of course, one then also inherits 
the limitations in the range of choices for v. 




326 



4.2 Formulae with only “NOT” connectives 

We next study the situation in which V has to demonstrate that a linear relation 
does not hold, without revealing more information than required. The situation 
at the outset is as in Subsection 4.1. This time, V has to demonstrate to V that 
its representation satisfies the formula 

NOT (a:^(i) - ai + ol 2 X„( 2 ) H h akXn(k) mod q) . (3) 

The coefficients Oj, for 1 < i < A:, are elements of Z,. Clearly, the permutation 
7t(-) can always be defined to interchange at most two elements and leave the 
rest unchanged. 

Our technique for demonstrating formula (3) is based on the following result. 

Proposition 6. Let q be a prime. V can prove knowledge of a representation of 
with respect to 

if and only if it knows a set of secrets that satisfies the formula (3). 

Sketch of proof. With [yi, . . . ,yk) denoting the representation output by the 
knowledge extractor, if ?/i = 0 then a non-trivial representation of 1 has been 
found and hence the Discrete Logarithm problem is tractable, and if ^ 0 then 
the representation satisfies formula (3). 



Proposition 7. If the proof of knowledge performed by V in the preceding Propo- 
sition is witness indistinguishable, then it is impossible for V ( even with unlimited 
computing power) to learn any information about the difference between and 
«i + a 2 X„( 2 ) H + akx„(^k) mod q. 

Sketch of proof. Denoting the representation known to V by {zi, . . . , zk) and 
the difference by e, observe that Zi — 1/e mod q, and so information about e 
is leaked if and only if information about Zi is leaked. Since k > 2, for each 
Zi € Z, there is a representation containing that zi; and because there are 
equally many (namely, such representations for each zi and the protocol 

is witness-indistinguishable, no information about e leaks. 

If q is not a prime, then the inverse of the difference number, e, is not guaranteed 
to exist. If g is a composite that is hard to factor then zero-divisors cannot be 
found and so nothing is lost, and in other cases we can force the existence of an 
inverse by making additional assumptions about the coefficients in (3) and/or 
about the representation of P. 

Applying the efficient proof of knowledge for the Discrete Logarithm setting 
described in Section 2, the following practical protocol results; 

Step 1. P generates at random k numbers, w\,. . .,Wk &n Z,, and computes 






k 



ir(i)' 



P then sends o to V. 




327 



Step 2. Let e denote (qi + — ^;,r(i) mod g, and let 5 = e ^ mod g. 

■p computes a set of responses, responsive to a challenge number c in 'Ein , 
as follows; 



ri •<— c5 + Wi mod g, 

Vi e- cx„(^i'jS + Wi mod g, Vi € {2, , A:}. 

V then sends (ri, . . . , r*) to V. 

Step 3. V accepts if and only if 



^ yjr(l) 



i=2 



jr(i)- 



As before, this protocol inherits the proof modes of the protocol described in 
Section 2. Note that signed proofs convince only of the demonstrated formula if 
the Oi’s are hashed along or if they are restricted to be in small sets. 

Our technique can also be based on the RS A/factoring problem. Consider 
V having to prove formula (3), with “mod v” replacing “mod g,” and having 
committed to (a;i, . . . ,Xk) using h mod n, for Xk+\ in Z„. 

Propositions. If v is a prime (or a composite that is hard to factor), then V 
can prove knowledge of a representation of 9n{i) "with respect to 

mod n, . . . , 9^l^9n(k) mod n, v), 
if and only if it knows a set of secrets that satisfies the formula. 

Of course, if i; = 2 then all boolean formula are monotone and one can do 
without this technique. 



4.3 Formulae with only “OR” connectives 

We now show how V can demonstrate that at least one of two linear relations 
holds, without revealing which one; this technique is an application of the “OR” 
technique of De Santis et al. and Cramer et al., although the scenario is different. 
The situation at the outset is again as in Subsection 4.1, This time V has to 
demonstrate to V that the representation known to it satisfies the formula 



k k 

(a;„(i) = ai + ^ mod g) OR (Xp(i) = (h + mod g). (4) 

i=2 j=l 



The coefficients Oj and Pi, for I <i < k, are elements of Z^, and n(-) and p{-) 
are permutations of {1, . . . , fc} that can always be defined to interchange at most 
two elements each. 

If (and only if) the first linear relation holds, then V can compute, for any 
challenge ci, responses (r 2 , . . . ,7*,) such that 



a\ = h 



-Cl 






‘o”* ■ 

yn(2) 



■C[ky 




328 



where 



y“_ . 

“1 = 



TT 

11 ■9ir(i) 



i=2 



for random W 2 ,-. ■ ,Wk in Z, . Likewise, if (and only if) the second linear relation 
holds, then V can compute, for any challenge C 2 , responses (.S 2 , • ■ • , Sk) such that 



U2 = h 



9p{i) 



9p(2) 9p(k) ’ 



where 






Pi Vi 



C(2) 






for random v^, ■ ■ ■ ,Vk in Z^. To demonstrate formula (4), we have V choose one 
of the two challenges, Ci or C 2 , at random by itself, so that it can anticipate 
that challenge by calculating a suitable Uj from the self-chosen challenge and 
a set of randomly self-chosen “responses.” To ensure that V cannot choose the 
other challenge by itself as well, V must use challenges Ci and C 2 such that, say, 
the bitwise exclusive-or of ci and C 2 is equal to the supplied challenge, c. (Of 
course, “simulation” is needed only for those sub-formulae that do not hold; if 
both sub-formulae would be true, V can do without a self-chosen challenge.) 

This technique can straightforwardly be generalized to a formula with more 
than one “OR.” connective, and as before an efficient implementation can be 
obtained by using the proof of knowledge of Section 2. A description based on 
the RSA/factoring problem is straightforward, and hence omitted. 



4.4 Putting it all together 

We now show how to combine the basic demonstration techniques, in order 
to demonstrate arbitrary satisfiable formulae from propositional logic, where 
the atomic propositions are linear relations over Z,. We hereto first show how 
to combine the techniques of Subsections 4.1 and 4.2 in order to demonstrate 
any satisfiable formula from propositional logic that has zero or more “AND” 
connectives and at most one “NOT” connective; these formulae play a central 
role in combining the basic techniques. 

A consistent system consisting of linear relations and one linear inequality 
can be written as a system of linear relations by introducing a difference term, 
denoted by e. By appropriate substitution, the system can then be represented 
by the matrix equation 



/ail ■ 
021 • 


■ oii,k-i 1 0 . 
• 0 1 . 


■ o o 




( \ 




(hi - fie\ 
b2 - /2C 


\an ■ 


. 0 0 . 










1 .. 



where fi, ■ ■ ■ ,fi are numbers in Z,. (Clearly, one of the /j’s can always be 1.) 

Our technique for demonstrating the boolean formula that corresponds to 
the system (5) is based on the following result. 




329 



Proposition 9. V can prove knowledge of a representation of 

i 

1.1 ^n{k—l+i) 

1=1 



with respect to 



1 ( I 

•••1 57r(fc-i) U5,r(fc_i+i)y 



i=l 



t=l 



1=1 



if and only if it knows a set of secrets that satisfies the system (5). 

As in Proposition 7, e is information-theoretically hidden if the proof is witness- 
indistinguishable, provided that I < k. li k = I, then V can check the validity 
of the system (5) directly from V’s public key, without interacting with V; com- 
puting € then is as hard as breaking the Discrete Logarithm problem, and e has 
at least 0(log |g|) bits that are simultaneously hard-core. 

We are now prepared to describe our general technique. Any boolean formula, 
F, can be expressed in the form 

F = Qi AND • • • AND (6) 

where each sub-formula, Qi, has the format OR • •• ORRi,mij and each 
subsub-formulae, Rij, is a formula from propositional logic that connects linear 
relations over Z, by zero or more “AND” connectives, at most one “NOT” con- 
nective and no other logical connectives. We have just seen how to demonstrate 
Rij, and by using the technique of Subsection 4.3 we can have V demonstrate 
a single sub-formula, Qi. To prove the formula F, V needs to demonstrate the 
validity of all m sub-formulae, Qi,. ■ ■,Qm- Hereto the corresponding m proofs 
can all be performed in parallel, responsive to the same challenge. 

An optimization is sometimes possible, depending on the complexity of F. 
Namely, a system of the form (5) can be interpreted as corresponding to an 
atomic proposition. To demonstrate knowledge for this atomic proposition, our 
techniques have V demonstrate knowledge of a secret key corresponding to a 
“distorted” public key, with respect to a “distorted” generator tuple. We can 
now apply the monotone formula technique of De Santis et al. and Cramer et 
al. to prove monotone boolean formulae over these atomic propositions. In par- 
ticular, the restrictions according to which V generates its self-chosen challenges 
from the supplied challenge can be dictated in accordance with the secret-sharing 
construction of Benaloh and Leichter [4] for the access structure defined by the 
dual of the formula F (see Cramer et al. [15] for details). In other words, express- 
ing F in a more compact form than (6) may lead to a more efficient protocol. 

A further optimization is for V to batch-process verification relations that 
correspond to atomic formulae that are connected by “AND” operators; this 
can be done similarly to the technique of Naccache, M’Rai'hi, Raphaeli and Vau- 
denay [24] for batch verification of DSA signatures. 

A description of the above techniques based on the difficulty of factoring or 
computing RSA-roots poses no particular difficulties, and is hence omitted. 




330 



5 Conclusion 

An interesting problem is to extend the set of atomic propositions beyond linear 
relations. True practicality requires constant-round proofs of knowledge for which 
the computation and communication complexity are linearly dependent on the 
number of secrets of V and the size of its public key, but independent of the 
parameters specifying the atomic proposition or anything else. The following 
approaches do not satisfy this criterion: 

- The technique of Damgard [16] can be adapted in order to demonstrate 
atomic formulae of the form 

+ 02 X 2 ^ H h ojfex^’' = oi mod q, 

but this requires V to perform Uj) separate basic proofs of knowledge 

and proofs of equality of discrete logarithms; 

- Brickell, Chaum, Damgard and Van de Graaf [11] showed how to prove that 
an exponent is in an interval, but their protocol inherently requires binary 
challenges (and thus polynomially mamy iterations) , and moreover the proof 
must be performed for a substantially larger interval in order to avoid leakage 
of information; and 

- The protocol of Pfitzmann [28] for demonstrating multiplications in zero- 
knowledge also inherently requires binary challenges. 

Moreover, in all three cases the number of available proof modes is seriously 
limited. It is an open problem to construct truly practical protocols for atomic 
propositions of the above forms. 

Our techniques have many practical applications. For example, they cam be 
used to implement the confirmation and the disavowal protocols of Chaum et 
al. [14] more efficiently (the speed-up is polynomial). The main motivation, how- 
ever, for devising the techniques in this paper has been to construct all manner 
of practical privacy-protecting credential mechanisms; this is the subject of a 
forthcoming paper. 



References 

1. M. Bellaie and O. Goldreich. On defining proofs of knowledge. In E. F. Brick- 
ell, editor, Advances in Cryptology-CRYPTO ’9&, volume 740 of Lecture Notes in 
Computer Science, pages 390--420. Springer- Verlag, 1992. 

2. M. Bellare, O. Goldreich, and S. Goldwcisser. Incremental cryptography: The case 
of hashing and signing. In Y. G. Desmedt, editor. Advances in Cryptology- 
CRYPTO ’94, volume 839 of Lecture Notes in Computer Science, pages 216-233. 
Springer- Verlag, 1994. 

3. M. Bellare and P. Rogaway. Random oracles cure practical: A paradigm for design- 
ing efficient protocols. In First ACM Conference on Computer and Communica- 
tions Security, pages 62-73, Fairfax, 1993. ACM Press. 

4. J. Benaloh and J. Leichter. Genertilized secret sharing and monotone functions. 
In S. Goldwasser, editor, Advances in Cryptology-CRYPTO ’88, volume 403 of 
Lecture Notes in Computer Science, pages 27-35. Springer- Verlag, 1988. 




331 



5. M. Blum, A. De Santis, S. Micali, and G. Persiano. Noninteractive zero-know- 
ledge. SIAM J. Computing, 20(6):1084-1118, December 1991. 

6. S. Brands. An efficient off-line electronic cash system based on the representation 
problem. Technical Report CS-R9323, Centrum voor Wiskunde en Informatica, 
April 1993. 

7. S. Brands. Untraceable off-line cash in wallets with observers. In D. R. Stin- 
son, editor, Advances in Cryptology-CRYPTO ’93, volume 773 of Lecture Notes in 
Computer Science, pages 302-318. Springer- Verlag, 1994. 

8. S. Brands. More on restrictive blind issuing of secret-key certificates in paral- 
lel mode. Technical Report CS-R9534, Centrum voor Wiskunde en Informatica, 
March 1995. 

9. S. Brands. Restrictive blind issuing of secret-key certificates in parallel mode. 
Technical Report CS-R9523, Centrum voor Wiskunde en Informatica, March 1995. 

10. S. Brands. Restrictive blinding of secret-key certificates. In L. C. Guillou and J - 
J. Quisquater, editors, Advances in Cryptology-EUROCRYPT ’95, volume 921 of 
Lecture Notes in Computer Science, pages 231-247. Springer- Verlag, 1995. 

11. E. F. Brickell, D. Chaum, I. B. Damgard, and J. van de Graaf. Gradual and verifi- 
able release of a secret. InC. Pomerance, editor, Advanrj'.s in Cryptology-CRYPTO 
'87, volume 293 of Lecture Notes in Computer Science, pages 156-166. Springer- 
Verlag, 1988. 

12. E. F. Brickell and K. S. McCurley. An interactive identification scheme based on 
discrete logarithms and factoring. Journal of Cryptology, 5(l):29-39, 1992. 

13. D. Chaum, E. van Heijst, and B. Pfitzmann. Cryptographically strong undeniable 
signatures, unconditionally secure for the signer. Technical report. University of 
Karlsruhe, February 1991. Interner Bericht 1/91. 

14. D. Chaum, E. van Heijst, and B. Pfitzmann. Cryptographically strong undeni- 
able signatures, unconditionally secure for the signer. In J. Feigenbaum, editor, 
Advances in Cryptology-CRYPTO ’91, volume 576 of Lecture Notes in Computer 
Science, pages 470-484. Springer- Verlag, 1992. 

15. R. Cramer, I. Damgard, and B. Schoenmakers. Proofs of partial knowledge and 
simplified design of witness hiding protocols. In Y. G. Desmedt, editor. Advances 
in Cryptology-CRYPTO ’94, Lecture Notes in Computer Science, pages 174-187, 
Springer- Verlag, 1994, 

16. I. B. Damgard. Practical and provably secure release of a secret. In T. Hclleseth, 
editor. Advances in Cryptology-EUROCRYPT ’93, volume 765 of Lecture Notes in 
Computer Science, pages 200-217. Springer- Verlag, 1994, 

17. A. De Santis, G. D, Crescenzo, G. Persiano, and M. Yung. On monotone formula 
closure of SZK. In Proc. 35th IEEE Symp. on Foundations of Comp. Science, 
pages 454-465, Santa Fe, 1994. IEEE Transactions on Information Theory. 

18. U. Feige and A. Shamir. Zero-knowledge proofs of knowledge in two rounds. In 
G. Brassard, editor, Advances in Cryptology-CRYPTO ’89, volume 435 of Lecture 
Notes in Computer Science, pages 526-544. Springer- Verlag, 1990. 

19. A. Fiat and A. Shamir. How to prove yourself: Practical solutions to identification 
and signature problems. In A. Odlyzko, editor. Advances in Cryptology-CRYPTO 
’86, volume 263 of Lecture Notes in Computer Science, pages 186-194. Springer- 
Verlag, 1987. 

20. L. C. Guillou and J.-J. Quisquater. A practical zero-knowledge protocol fit- 
ted to security microprocessors minimizing both transmission 0 md memory. In 
C. Gunther, editor. Advances in Cryptology-EUROCRYPT ’88, Lecture Notes in 
Computer Science, pages 123-128, Springer- Verlag, 1988. 

21. J. Hastad, A. Schrift, and A. Shamir. The discrete logarithm modulo a composite 
hides o{n) bits. JCSS, 47(3):376-404, 1993. 




332 



22. M. Jakobsson, K. Sako, and R. Impagliazzo. Designated verifier proofs and their 
applications. In U. Maurer, editor, Advances in Cryptology-EURO CRYPT ’96, 
volume 1070 of Lecture Notes in Computer Science, pages 143-154. Springer- 
Verlag, 1996. 

23. D. E. Knuth. Seminumerical Algorithms, volume 2 of The Art of Computer Pro- 
gramming, pages 441-462. Addison- Wesley Publishing Company, 2 edition, 1981. 
ISBN 0-201-03822-6. 

24. D. Naccache, D. M’Raihi, S. Vaudenay, and D. Raphael!. Can D.S.A. be im- 
proved? - complexity trade-offs with the digital signature standard. In A. D. 
Santis, editor, Advances in Cryptology-EUROCRYPT ’94, volume 950 of Lecture 
Notes in Computer Science, pages 77-85. Springer- Verlag, 1995. 

25. K. Ohta and T. Okamoto. A modification of the Fiat-Shamir scheme. In 
S. Goldwasser, editor, Advances in Cryptology- CRYPTO ’88, volume 403 of Lec- 
ture Notes in Computer Science, pages 232-243. Springer- Verlag, 1988. 

26. T. Okamoto. Provably secure and practical identification schemes and correspond- 
ing signature schemes. In E, P. Brickell, editor. Advances in Cryptology-CRYPTO 
’92, volume 740 of Lecture Notes in Computer Science, pages 31-53. Springer- 
Verlag, 1992. 

27. T. Okamoto and K. Ohta. Divertible zero knowledge interactive proofs and com- 
muntative random self-reducibility. In J.-J. Quisquater and ,1. Vandewalle, editors. 
Advances in Cryptology-EUROCRYPT ’89, volume 434 of Lecture Notes in Com- 
puter Science, pages 134-149. Springer- Verlag, 1989. 

28. B. Pfitzmann. ZKP in Zp or ■ Unpublished manuscript, April 1991. 

29. D. Pointcheval and J. Stern. Provably secure blind signature schemes. In K. Kim 
and T. Matsumoto, editors. Advances in Cryptology-ASIACRYPT ’96, 1163, pages 
252-265. Springer-Verlag, 1996. 

30. D. Pointcheval and J. Stern. Security proofs for signature schemes. In U. Maurer, 
editor. Advances in Cryptology-EUROCRYPT ’96, volume 1070 of Lecture Notes 
in Computer Science, pages 387-398. Springer-Verlag, 1996. 

31. C. P. Schnorr. Efficient signature generation by smart cards. Journal of Cryptol- 
ogy, 4:161-174, 1991. 

32. D. R. Stinson. Cryptography; theory and practice. CRC Press, 1 edition, 1995. 
ISBN 0-8493-8521-0. 

33. M. Tompa and H. Woll. Random self-reducibility and zero knowledge interactive 
proofs of possession of information. Technical Report RC 13207 (#59069), IBM, 
October 1987. 



A Proof Modes 



If c is chosen at random by V, and 2* is small, then the protocol must be repeated 
polynomially many times in order for P’s proof to be convincing with overwhelm- 
ing probability. Sequential repetitions result in a zero-knowledge proof, while 
parallel repetitions are not zero-knowledge unless preceded by an initial step in 
which V commits to its challenges (the commit must be unconditionally secure 
for P in case V is unbounded); alternatively, the challenges are determined in a 
mutually random fashion by P and V. 

If 2* is large then P is convincing with overwhelming probabiiity, without 
repetitions. The case m = 1 is the Schnorr proof of knowledge [31]; this is widely 
believed to be witness hiding, although no proof of this is known. In case m > 
2 the protocol is non-trivially witness indistinguishable and provably witness 




333 



hiding, and the case m = 2 is Okamoto’s proof of knowledge [26, page 36] . The 
protocol can be made zero-knowledge in the manner described above. 

The protocol can be performed as a signed proof, meaning that the transcript 
of the protocol execution is convincing evidence that V has performed a protocol 
execution. Following Fiat and Shamir [19], the challenge c is hereto computed 
as a one-way hash (implying that 2‘ is large) of at least a. The hash-function 
must be such that it is infeasible to obtain more signed proofs than the number 
of protocol executions that V has engaged in (“unforgeability”). In addition, h 
and a message may be hashed along; in the latter case the signed proof serves as 
a digital signature of V on the message. The signed proof consist of (ri , . . . , r^)! 
one of a and c, and any (other) information hashed in order to compute c; 
moreover, h must be included in case it is not associated with V. The Schnorr 
signature scheme [31] (resp. the Okamoto signature scheme [26, page 46]) is the 
special case in which V determines c by itself, signed proofs serve as digital 
signatures, and m = 1 (resp. ?n = 2). 

If we model the hash function as a random oracle (see Bellare and Rog- 
away [3]) and V computes c in Step 2 by itself, then the unforgeability of signed 
proofs is guaranteed for all m > 1, assuming the Discrete Logarithm assump- 
tion; see Pointcheval and Stern [30]. In particular, this holds also if V supplies a 
message, possibly adaptively chosen based on previous protocol executions, that 
is hashed along by V. 

In signed proof mode, it may be desirable to let V instead of V determine c, 
for example to enable V to obtain a blinded signed proof (it is straightforward to 
apply the blinding technique of Okamoto and Ohta [27]). In the random oracle 
model, the unforgeability of signed proofs for which c determines the challenge is 
guaranteed for all m > 2, assuming the Discrete Logarithm assumption and pro- 
vided that V engages in no more than logarithmically many protocol executions; 
see Pointcheval and Stern [29]. 

Other proof modes are available as well. For example, one can perform the 
protocol as a non-interactive zero-knowledge proof (see Blum, De Santis, Micali 
and Persiano [5]), a limited-show proof, a designated verifier proof (see Jakobs- 
son, Sako and Impagliazzo [22]), or a multi-prover proof. As an example of the 
latter proof mode, consider i parties that have each committed to their own se- 
cret, Xi, by publishing hi = gi'g^', for randomly chosen j/i; by taking h to be the 
product of appropriate powers of the hi's, they can jointly demonstrate formu- 
lae pertaining to their secrets (without revealing them to any other party), by 
combining their responses in accordance with the formula that is demonstrated. 

Finally, we note that the protocol can be modified in order to issue a signed 
proof that can be blinded only restrictively, by using the techniques of [10]- 
Hereto V and V perform the blinded signed proof with respect to a combination 
of V's public key and V’s public key. In addition to the properties of unforgeabil- 
ity and independence of the signed proof and P’s view, it can be proved under 
the Discrete Logarithm assumption that part of the representation of V remains 
invariant under V’s blinding operations. In the random oracle model, this holds 
even if polynomially many verifiers, each with a different public key, conspire, 
provided that protocol executions are performed sequentially; for parallel exe- 
cutions, slight modifications are required, and the security can only be argued 
heuristically (see [9, 8]). 




Oblivious Transfers and Privacy Amplification 



Gilles Brassard* and Claude Crepeau** 



Departement IRO, Universite de MontreeJ 
C.P. 6128, succurscde centre-ville 
Montrecil (Quebec), Canada H3C 3J7 
emciil : {br 2 issard , crepeau } @iro . umon treal . ca 



Abstract. Assume A owns two secret A;-bit strings. She is willing to 
disclose one of them to B, at his choosing, provided he does not learn 
anything about the other string. Conversely, B does not want A to learn 
which secret he chose to lc 2 im. A protocol for the above task is said to 
implement One-out-of-two String Oblivious Treinsfer, denoted (f)-OT*'. 
This primitive is particuleirly useful in a variety of cryptographic settings. 
An apparently simpler tcisk corresponds to the case k = 1 of two one-bit 
secrets: this is known as One-out-of-two Bit Obhvious TrcUisfer, de- 
noted (i)-OT. We address the question of reducing (i)-OT* to (i)-OT. 
This question is not new: it was introduced in 1986. However, most so- 
lutions until now have impUcitly or explicitly depended on the notion 
of self-intersecting codes. It can be proved that this restriction makes it 
asymptotictiUy impossible to implement (i)-OT* with fewer thtin about 
3.5277/c instcinces of (J)-OT. The current paper introduces the idea of 
using privacy amplification as underlying technique to reduce (i)-OT* 
to (i)-OT. This allows for more efficient solutions at the cost of an expo- 
nentially small probability of failure: it is sufficient to use slightly more 
than 2k instances of (i)-OT in order to implement (i)-OT*. Moreover, 
we show that privacy amphfication allows for the efficient implementa- 
tion of (f )-OT* from generahzed versions of (?)-OT that would not have 
been suitable for the earlier techniques based on self-intersecting codes. 
An apphcation of this more general reduction is given. 



Key Words: Information-Theoretic Security, Reduction Between Protocols, 
Oblivious Transfer, Privacy Amplification. 



* Supported in part by Ccinada’s NSERC, The Canada Council cind Quebec’s FCAR. 
** Supported in part by Quebec’s FCAR and Canada’s NSERC. 



W. Fumy (Ed.): Advances in Cryptology - EUROCRYPT ’97, LNCS 1233, pp. 334-347, 1997. 
© Springer-Verlag Berlin Fleidelberg 1997 




335 



1 Introduction 

One-out-of-two String Oblivious Transfer, denoted (i)--OT^, is a primitive that 
originates with [Wie70] (under the name of “multiplexing” ), a paper that marked 
the birth of quantum cryptography. According to this primitive, one party A 
owns two secret A;-bit strings Wq and Wi , and another party jS wants to learn u>c 
for a secret bit c of his choice. A is willing to collaborate provided that B does 
not learn any information about wg, but B will only participate if A cannot ob- 
tain information about c. Independently from [Wie70] but inspired by [RabSl], 
a natural restriction of this primitive was introduced subsequently in [EGL83] 
with applications to contract signing protocols: One-out-of-two Bit Oblivious 
Transfer, denoted (i)-OT, concerns the case ^ = 1 in which wo and wi are 
single-bit secrets, generally called ho and hi in that case. 

Techniques were introduced in [BCR86] and refined in [CS91b, BCS96] to 
reduce (j)-OT*' to (^)-OT; several two-party protocols were given to achieve 
One-out-of-two String Oblivious Transfer based on the assumption of the avail- 
ability of a protocol for the simpler One-out-of-two Bit Oblivious Transfer. The 
fact that (i)-OT* can be reduced to (j)-OT is not surprising because a num- 
ber of authors [Kil88, Cre89, CGT95] have shown that (f )-0T is sufficient to 
implement any two-party computation. Our interest in direct reductions is their 
far greater efficiency, With the exception of [CS91a], all previous direct reduc- 
tions that we are aware of [BCR86, CS91b, BCS96] are based on a notion called 
zigzag functions, whose construction is reduced to finding particular types of 
error-correcting codes called self-intersecting codes. In a nutshell, this approach 
consists in selecting once and for all a suitable function / from {0, 1}" to {0, 1}* 
for n as small as possible {n > k), so that if xo is a random preimage of wq and 
X\ is a random preimage of W\, and if B is given to choose via (i)-OT to see 
the bit of either xq or xi, 1 < i < n, then no information can be inferred 

on at least one of wo or wi. This approach has led to various reductions with 
expansion factors d ranging from 4.8188 to 18, that is various polynomial-time 
constructible methods using n = f3k instances of (f)-OT to perform one (j)-OT* 
on Ar-bit strings. Komlos proved that this approach cannot yield an expansion 
factor /5 that is asymptotically better than 3.5277 [CL85]. It was recently proven 
by Stinson that the same bound applies even to non-linear zigzags [Sti97]. 

The current paper exploits a new approach to this problem using privacy 
amplification, a notion first introduced in the context of key exchange protocols 
[BBR88]. The new approach allows for a solution requiring only slightly more 
than 2k instances of (i)-OT to perform one (f)-OT'', and it can be extended 
to a whole range of generalizations of (j)-OT that could not be used with the 
reductions based on zigzag functions. 

An application of the simplest of our generalizations is also considered: 
(i)-OT* from A to B can be reduced to (f)-OT in the other direction (from 
B to A) by only doubling the cost of reducing to (i)-OT from A to B. This 
improves on an earlier result of [CS91a]. 




336 



2 Privacy Amplification Method 

Assume A knows a random n -bit string x about which B has partial infor- 
mation. Privacy amplification is a technique invented in [BBR88] and refined 
in [BBCM95] that allows A to shrink x to a shorter string w about which B 
has an arbitrarily small amount of information even if he knows the recipe 
used by A to transform x into w. Intuitively, this can be used to implement 
(j)-OT^(uio, ^i)(c) from (f)-OT because A can offer B to read one of two ran- 
dom strings xq or xi by a simple sequence of (f)-OT(xg, Xj)(cj). Subsequently, 
A tells B how to transform xg into Wq and xi into itij by way of privacy amplifi- 
cation. An honest B who accessed all the bits of Xc can reconstruct Wc from this 
information. But a dishonest B who tried to access some of the bits of xq and 
some of the bits of xi will not have enough information on at least one of them 
to infer any information on the corresponding in, or even joint information on 
both Wo and Wi . 

An important fact about the method based on zigzag functions considered in 
earlier papers is that there is no way for B to learn information about both wq 
and even though the zigzag function is known before he gets to choose which 
bits of Xq and xi to obtain through the (j)-OT instances. In the new approach 
based on privacy amplification, A reveals the function to B after the necessary 
(i)-OT’s have been performed. This allows for a protocol that is simpler, more 
general and more efficient, but at the cost of a vanishingly small probability of 
failure. A drawback of this approach is that a new function must be generated 
and transmitted at each run of the protocol. 

The following table compares the efficiency of the earlier methods to that 
of privacy amplification. The column “expansion factor” gives a number /? so 
that a (J)-OT^ can be achieved with 0k instances of (fj-OT, s is a safety pa- 
rameter, and e is arbitrarily small in the limit of targe k, Thus we see that the 
privacy amplification method is preferable provided a probability of failure can 
be tolerated. 



Method 


expansion 

factor 


failure 

probability 


construction 

time 


Monte Carlo Zigzag^ 


4.8188 -be 


2-'’ 


0(k-^) 


Las Vegas Zigzag^ 


9.6377 + e 


0 


0{k‘^) 


Zigzag a la Justesen^ 


18 


0 


O(k^) 


Zigzag a la Goppa^ 


6.4103 


0 


0{k^‘^) 


Privacy Amplification 


2 -|- 5 


2-* 


0(F) 



* Attributed to Cohen and Lempel in [BCS96]. 
^ Attributed to Joe Kilian in [BCS96]. 

® From [BCS96]. 

■* From [CZ94] based on a method of [CS91b]. 





337 



3 The New Protocol 

Let s be a security parameter chosen by A and B so that they agree to tolerate 
a probability 2~" of failure. Let 7 be a constant to be determined later, let 
n = 7 /; + s, and let JF 2 denote the field of integers modulo 2 . 

Privacy amplification is based on the general notion of universal classes of 
hash functions [CW79]. Forsake of simplicity, we use a specific class of hash 
functions in our protocol to implement (i)-OT* from (i)-OT: 

{h I h(x) = Mx, foT M a. k X n matrix over ^^ 2 } ■ 

Other, more efficient classes of hash functions can be used, but it is not known 
if the definition of universal classes is sufficient in general to make our protocol 
work. 



Protocol 3.1 ( (i)-OT*^(u!o, u)i)(c) ) 

1: A picks two raindom n-bit strings xo and it). 

2: DO A transfers t‘ <— (i)-OT(xo,a:i)(c) to B. 

t= 1 

3: A picks two random k x n matrices Mo and Mi over JF 2 ; 
she announces them to B. 

4: A sets mo <- Moxq, mi <- Mixi, yo <- mo 0 wo and yi <- mi © mi; 
she cinnounces yo and yi to B. 

5: B recovers Wc by computing (Met) © yc- 

We postpone to Sect. 5 the proof that this protocol is private provided 7 > 2 
because we shall first generalize it to permit at no extra cost the use of another 
primitive called XOR Oblivious Transfer. (Informally, a protocol is private if 
B cannot learn information on both Wo and mi except perhaps with negligible 
probability. In addition, B must not be able to obtain joint information on Wo 
and mi except for what follows from his a priori knowledge and his learning one 
of the two strings. Conversely, A should learn nothing at all. See [BCS96] for 
a formal information-theoretic definition. We shall later relax the condition to 
allow B an exponentially small amount of unauthorized information.) 



4 XOR Oblivious Transfer 

A (f)-XOT is an extension of (i)~OT that enables a sender A to transfer to a 
receiver B either one bit among 6 q and b\ or their exclusive-or, at B’s choice. More 
formally, .4 inputs bo and bi into the protocol, B inputs c £ {0, 1, ©}, and B learns 
be while A learns nothing, where for convenience we use 6 ^ to denote 60 ® 

As usual, this is done in an all-or-nothing fashion: B cannot get more information 
about 60 and bi than bo, 61 or 6 ^, however malicious or computationally powerful 
he is. Note that in our application of (?)-XOT, which is to use it instead of 





338 



(f)~OT inside Protocol 3.1, an honest B would never requests b^. Therefore we 
can safely use any protocol in which it is merely tolerated that B might learn 6® 
in cheating attempts even though A is not required to provide it upon request. 

The (^)-XOT comes naturally in a specific implementation of (i)-OT: in 
[BCR86a] a protocol for (i)-OT is given under the assumption that deciding 
quadratic residuosity modulo a composite number is hard. In that implementa- 
tion, the possibility that B obtains fc® arises naturally and some effort is made 
to prevent it. The current paper shows that this effort was unnecessary if the 
final goal is to implement (f)~OT*^ rather than simply (i)-OT. 

5 Privacy 

Consider a variation of Protocol 3.1 in which the transfers at step 2 are per- 
formed through (j)-XOT instead of (j)-OT. Even though this makes no differ- 
ence if B follows the protocol honestly, it gives him additional opportunities for 
cheating if he so desires. Our goal is to show that whatever program B is ran 
by B, he is not able to obtain information on both wq and tui, except with a 
probability that is exponentially small in the security parameter s. Moreover, 
it is obvious from inspection of the protocol that a cheating A cannot obtain 
any information about B’s secret parameter c. From now on, think of xq and x\ 
as column- vectors of length n, and of ruo = MqXo and mi = Mixi as column- 
vectors of length k, all over First, we show that immediately after Step 3 of 
the protocol, whatever program B is ran by B, he will have no information about 
one of mo or mi and no information allowing him to connect mo and mi (such 
as mo0mi for instance), except with exponentially small probability. (Formally, 
there will be some bit c such that the first three steps of the protocol would give 
no additional information to B about the pair (mo, mi) than if he were simply 
told the value of me; see [BCS96].) We conclude the result about wo and wi at 
the end of the protocol from the fact that mo and mi are used as one-time pads 
to transfer them. 

Suppose B reads the bits with c, G{0, 1,©} at his choosing. 
Let 3 be a non-trivial linear function of mo and mi . In other words, 
g{mo,m.i) = vomo © Uimi for some line-vectors Uq and Vi of length k over J - 2 
such that both Vo and v\ are non-zero®. 

Theorem 1. Consider the knowledge that B has about mo and mi immediately 
after Step 3 of the protocol. Provided 7 > 2, 

Prob ^3 non-trivial g such that B knows g(mo, mi)^ < 2“' . 

® Note that by virtue of vo and mo being a line- vector and a column- vector, respec- 
tively, a “matrix” multiplication such eis vomo computes the scalar product; similcirly, 
given that xo is also a column- vector, an expression such as voMoxo makes sense: 
it is simply ein element of This notation is handy because vqMoxo can be thought 
of indifferently as either the scalar product of vo with Mqxo or of voMo with xq. 




339 



Proof. We first describe the condition under which B learns g{mo, mi) at Step 3 
of the protocol for some specific non-trivial linear function g. By definition 

g{mo,mi) - vomo © vimi = voMqXo 0 viM\Xi - 2:0X0 © 2iXi 

where 20 = vqMq and 21 = viMi. Because xo and xi are random, B cannot learn 
anything about g{mo,mi) at Step 3 unless he is lucky enough that his choices 
Cj simultaneously follow 

( 0 when (z'o,z\) = (1,0) 

Ci = 1 when (zo,z\) = (0, 1) 

[ © when (zq,z[) = (1, 1) 

in all the instances of (f)~XOT such that 2o and z[ are not both 0. (The value 
of Ci is unimportant when (zo,z[) = (0,0) since neither Xq nor x) is required in 
that case to compute g{mo,mi).) 

But remember that Mq and M\ are picked at random and neither vq nor Vi is 
zero. Therefore 20 = vqMo and 2i = Mi are random binary strings of length n 
chosen independently according to the uniform distribution. In particular, zq and 
2i are independent of B's choices of Cj’s, It follows that, for each i, the probability 
that either (zjii'^l) = (0.0) or B chose c, appropriately according to the above 
case analysis is exactly 1/2. Since B must be lucky for each i, 1 < i < n, 

Prob (^B learns if(mo,mi)^ = 

for each non-trivial linear function p, whatever choices B makes for the Cj’s. 
Finally, given that there are less than 2^** such linear functions, we conclude 
that 

Prob ^3 non-trivial g such that B learns g{mo,mi)^ 

^ ^2k — n 

provided 7 > 2. □ 

Theorem 2. Protocol 3.1 is private even if the transfers at step 2 are performed 
through {l)-XOT instead o/(j)-OT. 

Proof. We know from Theorem 1 that, except with probability at most 2“*, 
B has not learned g{mo,m\) by the end of Step 3 for any linear function g 
that involves both mo and mi in a non-trivial way.® It follows that there is a 
d G {0, 1} such that B learns no non-trivial linear function of m^ because if he 
could learn non-trivial linear functions fl'o(»no) and g\ (mi ), he would have learned 
50(^0) © 5i(mi), a non-trivial linear function of both mo and mi. We can say 
something stronger: not only does B learn no non-trivial linear function of m^, 
but he learns no information of any kind that involves m^ . This is true because 



® Of course, it is possible for B to learn linccir functions of mo or mi alone by setting 
all the c. = 0 or Ci = 1 as in the honest protocol. 




340 



mo and mi are purely random and the only source of information that B has 
about them (up until Step 3) is given by linear functions of mo and mi . Since 
rrid is used by A at Step 4 as one-time pad to transmit Wd to B, it follows that 
B learns no information of any kind that involves Wd- □ 



6 Application: Reversing Oblivious Transfer 

Consider that A wants to send one of two words wq or wi to B when they 
only have an (i)-OT channel running from B to A. A very efficient protocol 
for sending one of two bits from A to B is given in [CS91a] provided A does 
not mind the possibility that B might learn the exclusive-or of her two bits: 
two instances of reversed (f)-OT are sufficient to implement (i)-XOT. No such 
efficient constructions are known that would implement (i)-OT from so few 
instances of reversed (i)-OT. In other words it is much easier to implement 
(i)-XOT than (j)-OT from AtoB given an (i)-OT channel from B to A- This 
is fine because we just showed that (i)-XOT is just as good as (i)-OT for 
the purpose of implementing (fj-OT^. Therefore, (i)-OT* from A to B can be 
implemented from slightly more than Ak instances of (fj-OT from B to A. This 
is a three-fold improvement over [CS91a]. 



7 Generalized Oblivious Transfer 

A (i)-GOT is a cryptographic protocol for two participants that enables a sender 
A to transfer a one-bit function evaluated on (6 q, i>i) to a receiver B who chooses 
secretly which one-bit function (/) he gets from her input bits. This is done in 
an all-or-nothing fashion: B cannot get more information about bo and 6i than 
f{bo, bi) for some /, however malicious or computationally powerful he is, and 
A finds out nothing about the choice / of B. As was the case with (i)-XOT in 
Sect. 4, one may think of a (f)-GOT protocol as merely tolerating the fact that 
a cheating B might learn f{bo,bi) for some / rather than specifying that any 
such / can be learned at B’s whim. 

The following table enumerates all 14 possible non-constant functions from 
two bits to one. (We ignore the two constant function since they would yield no 
information if used.) The symbols used refer to the common boolean functions. 
Example: A stands for bo Abi. The notations 0 and 1 are used for the projection 
functions &o06i = ho and bol^i = We say that a function f{bo,bi) is biased if 
the probability that /(6o, &i) = 1 is not 1/2 when 6o and 6i are chosen randomly 
and independently according to the uniform distribution. The ordinary (f)-OT 
is a special case of (j)-GOT where B is limited to the functions 0 and 1. 




341 





bi 


m 


s 


Q 


s 






m 


□ 


M 




B 


Q 


B 


D 


0 


0 




□ 


D 


0 


□ 




1 


0 


V 




1 


B 


1 


0 


1 


0 




1 


1 


0 


1 


1 


1 


0 


0 


B 


1 


i 


0 


1 


0 










1 


U 


1 


1 


0 


0 


B 


0 


1 


1 


1 


1 










0 






□ 


1 


1 


B 


1 


1 


1 


1 




m 


H 


1 


H 


1 






B 


■ 


1 


B 


1 


B 


1 



It has been shown in [BCR86] that (f)-GOT is a sufficient primitive to 
implement (^)-OT. The reduction they presented uses 0{s) runs of (j)“GOT 
to achieve a single (’f)-OT in such a way that the reduction may fail and give 
both bits to B with probability . If this protocol is combined with a standard 
reduction of (j)-OT*^ we obtain a global cost of &(ks) runs of (f)-GOT per 
(f )-0T* . Contrary to reductions to (j)-OT, reductions to (f )-GOT must involve 
a failure probability since it is always possible to get all the information sent by 
A by selecting the appropriate biased function at each transfer by sheer luck. 
For example, if B requests Xq A x\ at step 2 of Protocol 3.1 for some i, and if he 
obtains the value 1, then he knows that both Xg and x\ are equal to 1. Using 
the new privacy amplification method we obtain a direct reduction of (i)-OT* 
at a cost of only 0{k + s) instances of (j)-GOT. 

Consider a variation of Protocol 3.1 in which the transfers of step 2 are per- 
formed through (i)-GOT instead of (f)-OT. Our goal is to show that whatever 
program B is ran by he is not able to obtain non-negligible information on 
both u>o and loi, except with a probability that is exponentially small in the se- 
curity parameter s. Contrary to the analysis in Sect. 5, it will no longer suffice to 
take n = qAr -b s for some 7, but n will nevertheless remain in 0{k -f s) — see the 
proof of Theorem 3 for details. First we show that immediately after Step 3 of 
the protocol, whatever program B is ran by B, he will have negligible information 
about one of mo or mi , and negligible information allowing him to connect mo 
and mi . We conclude a similar result about wo and wi at the end of the protocol 
from the fact that mo and mi are used as one-time pads to transfer them. 

Suppose B obtains bits with c, G {V,t=, l,=f, 0, 0, A, A, 0, 0, — >■, 1, t— , V} 
at his choosing. As before, let y be a non-trivial linear function of mo and mi, 
that is = uomo 0 vimi for some non-zero binary line-vectors uq and 

Vi of length k. We say that B can a-bias a bit if he can guess it with probability 
better than | + a of being correct. 



Theorems. Consider the knowledge that B has about mo and mi immediately 
after Step 3 of the protocol. 

Prob ^3 non-trivial g such that B can g{mo,mi)\ < 2“® 



provided n is chosen appropriately in 0(k + s). 












342 



Proof. Let 7 and a be constants to be determined later and let n = (a+l)( 7 ^+s). 
Let Biased — {i j cj € {V,^,=F,A, A, — )•, t— , v}}, the set of positions where B 
uses a biased function. If f^Biased < a{'yk+s) then Theorem 1 applies with 7 > 2 
and n — ~fk -\r s. We thus get the desired result. Otherwise ff Biased > a{'jk + s^ 
is the more interesting case to consider. Consider the set of positions where B 
has used a biased function. As before, B would have learned g(mo,m.i) exactly 
if he had simultaneously obtained 

4 when ( 2 j, 4 ) = ( 1 , 0 ) 

z’l when (z'o, z() = ( 0 , 1 ) 
when ( 4 ,z‘) =: ( 1 , 1 ) 

for all i for which Zq and z\ are not both 0 . 

Remember that Mq, Mj, a;o and xi are picked at random. Thus Zq and zi 
are random binary words of length n. Since B has used a biased function in 
position i, with probability 1/4 he will have learned both Zq and x\, and with 
probability 3/4 he will be able to 1/6-bias Xq, x\ and a;'^. (This is because each 
biased function has one output that uniquely defines a specific pair of inputs, 
while the other output leaves three pairs of inputs equally likely.) This means 
that in each such position i, B has obtained the bit he needs with probability 
7/16 and with probability 9/16 he can only 1 / 6 -bias the bit he needs. Of the 
a(‘yk+s) such values of i, less than a( 7 A:+s )/4 of them will fall in the second case 
with probability at most ss according to Bernstein’s 

law of large numbers [Ren70, Chap. VII, Sect. 4, Theorem 2], for a 28. When 
7 ( 7 ^ +s) of the bits involved in the calculation of g(mo, mj) are 1/6-biased, even 
if all the other bits are exactly known, B can only (l/3)^('’'*"*''V2"bias the value 
of g{mo,Tni). (In general, d-biasing each of xi,X2,...,xi allows to (2J)V2-bias 
arj © ai 2 © ... © [Cre90].) It follows that for any set of choices {ci}i and any 

Vo,Vi 7 ^ 0* 



Prob (r can 3-^(T'*+’)/2-bias 5 (^ 0 , mO) < 2''('^''+’) . 

Finally, given that there are less than 2^*^ pairs vq,vi, taking 7 > 2, and using 
the fact that we conclude as desired that 

Prob ^3 non-trivial g such that B can 2~*’“^“*'^^-bias g{mo,mi)^ 

< 2 ^* 2 "' < 2 ~^ 



□ 

To conclude that, except with probability , B has no more than 2“'* bit of 
information on at least one of mo or mi immediately after Step 3, and therefore 
no more than 2 ~* bit of information on at least one of Wq or at the end of 
the protocol (even if he is given the other string — see the Appendix for formal 
definitions), it suffices to apply the following theorem with £ = i/ 2 *+i +*/2 




343 



Theorem 4. Let k be an integer and e < 1/2*'*'’^. Consider a k-bit string m so 
that B cannot e-bias any non-trivial linear function of the bits ofm. Then B’s 
information on m in the sense of Shannon is less than bit. 



Proof sketch. Let X be the random variable over the binary strings of length k 
that corresponds to B’s probability distribution on m. Consider the set G of 
all non-trivial linear functions on A:-bit strings: there are exactly 2* — 1 such 
functions. For any g €G, let pg be the probability that g{X) — 0. We have 
^ — e < pg < I -|- e for all 5 £ G by assumption that B cannot e-bias non-trivial 
linear functions of the bits of m. 

It is easily shown that the probability that X = x for any given string x is 
given by 

Prob {X = x) = 2"* -f ^ ^ s{g, x) x {2pg - 1) 

^ g€G 

for some function s:Gx{0,l}^— >•{ — 1,1} whose detail does not concern us. 
It follows that Prob {X — x) differs from by less than the largest value of 
2pg — 1 in absolute value, which is less than 2e. The random variable X that 
would give the most information to B, yet respect the above constraint, would 
have half the strings with probability 2“* — 2s and the other half with proba- 
bility 2~* + 2s. Therefore, 



H(X) < -2*-^(2-* - 2s) lg(2"* - 2s) - 2*"^ 
_ /(2''+^s)2 (2''+^£)^ (2'=+'e)® 

“ 1x2 3x4 5x6 



(2-* -L 2s) lg(2-* + 2e) 



7x8 



/In 2 



□ 



8 Open Problems 

The value of n used in our proof of Theorem 3 is in 0(fc -f- s) but we conjecture 
that it could be made significantly smaller in terms of the hidden constant, 
perhaps as small as 2 k s. 

As a further generalization, consider any a < 2. An q-(j)-UOT is a cryp- 
tographic protocol for two participants that enables a sender A to trans- 
fer a bits of information, in the sense of Shannon, about two bits {bo,bi) 
to a receiver B who chooses secretly which information L2{bo,bi) he get® 
from her input bits. We require that be a random variable such that 

H((Bo,5i)|G(b„b,)) >2 — a when Bq and Bi are uniformly distributed over 
{0, 1}. This is done in an all-or-nothing fashion: B cannot get more information 
about bo and 6j than a sample from L2(bo,bi) for some 17, however malicious or 
computationally powerful he is, and that A finds out nothing about the choice 17 




344 



of B. To see that this is genuinely more general than (f)-GOT, consider the case 
in which B would request to see both bits through a binary symmetric channel 
with error rate 11%. Because H 2 (ll%) fa 0.5, this would give B one bit of in- 
formation about the two bits of However, this scenario cannot be simulated 
with (?)-GOT. 

Conjectures. For all a < 2 (or perhaps merely for all a <1?), Protocol 3.1 
remains private even if occurrences of (f)-OT are replaced with a~{\)-UOT, 
provided n> poc{k + s) for an appropriate constant 0a to be determined, where 
s is the safety parameter. 

Conjectures. If conjectured fails as stated, it works if Shannon entropy is 
replaced with Renyi entropy of order p in the definition of a-{l)-UOT for all 
p > 1 [Cac97] or perhaps merely for p = 2 [BBCM95], 



Acknowledgements 

We thank Dominic Mayers and Louis Salvail for their help, comments, sugges- 
tions and support. 



References 

[BBCM95] C. H. Bennett, G. Brassard, C. Crepeau and U.M. Maurer, “Generalized 
privacy amplification”, IEEE Transaction on Information Theory, Vol. 41, 
no. 6, November 1995, pp. 1915-1923. 

[BBR88] C.H. Bennett, G. Brassard eind J.-M. Robert, “Privacy amplification by 
public discussion”, SIAM Journal on Computing, Vol. 17, no. 2, April 1988, 
pp. 210-229. 

[BCR86] G. Brassard, C. Crepeau cind J.-M. Robert, “Information theoretic re- 
ductions among disclosure problems”, Proceedings of 27th Annual IEEE 
Symposium on Foundations of Computer Science, 1986, pp. 168-173. 

[BCR86a] G. Brassard, C. Crepeau emd J.-M. Robert, “All-or-nothing disclosure of se- 
crets”, Advances in Cryptology: Proceedings of Crypto ’86, Springer- Verlag, 
1987, pp. 234-238. 

[BCS96] G. Brassard, C. Crepeau and M. Stetha, “Oblivious transfers and inter- 
secting codes”, IEEE Transactions on Information Theory, Vol. 42, no. 6, 
November 1996, pp. 1769- 1780. 

[Cac97] C. Cachin, “Smooth entropy and Renyi entropy”. Advances in Cryptology: 
Proceedings of Eurocrypt ’97, Springer-Verlag, 1997. 

[CW79] J. L. Carter and M. N. Wegman, “New hash functions cind their use in au- 
thentication cmd set equcility”. Journal of Computer and System Sciences, 
Vol. 22, 1981, pp. 265-279. 

[CL85] G. D. Cohen and A. Lempel, “Linear intersecting codes”, Discrete Mathe- 
matics, Vol. 56, 1985, pp. 35 - 43. 




345 



[CZ94] 

[Cre89] 

[Cre90] 

[CGT95] 

[CS91a] 

[CS91b] 



[EGL83] 



[GMR89] 



[Kil88] 

[RabSl] 

[R6n70] 

[Sti97] 

[Wie70] 



G. D. Cohen and G. Zemor, “Intersecting codes and independent families”, 
IEEE Transactions on Information Theory, Vol. 40, no. 6, November 1994, 
pp. 1872-1881. 

C. Crepeau, “Verifiable disclosure of secrets and application”, Advances 
in Cryptology: Proceedings of Eurocrypt ’89, Springer- Verlag, 1990, 
pp. 181-191. 

C. Crepeau, Correct and Private Reductions Among Oblivious Transfers, 
PhD thesis, Depeirtment of Electrical Engineering and Computer Science, 
Massachusetts Institute of Technology, 1990. Supervised by Silvio Micali. 
C. Crepeau, J. van de Greiaf and A. Tapp, “Committed oblivious transfer 
and private multi-party computations”, Advances in Cryptology: Proceed- 
ings of Crypto ’95, Springer-Verlag, 1995, pp. 110-123. 

C. Crepeau and M. Smtha, “On the reversibility of oblivious transfer”, 
Advances in Cryptology: Proceedings of Eurocrypt ’91, Springer-Verlag, 
1991, pp. 106-113. 

C. Crepeau cind M. Santha, “Efficient reductions among oblivious transfer 
protocols b 2 ised on new self-intersecting codes”. Sequences II, Methods in 
Communications, Security and Computer Science, Springer-Verlag, 1991, 
pp. 360-368. 

S. Even, O. Goldreich and A. Lempel, “A randomized protocol for sign- 
ing contracts”. Proceedings of Crypto 82, Plenum Press, New York, 1983, 
pp. 205-210. 

S. Goldwcisser, S. Micali and C. Rackoff, “The knowledge complexity of 
interactive proof-systems”, SIAM Journal on Computing, Vol. 18, 1989, 

pp. 186-208. 

J. Kilian, “Founding cryptography on oblivious transfer”. Proceedings of 
20th Annual ACM Symposium on Theory of Computing, 1988, pp. 20-31. 
M. O. Rabin, “How to exchange secrets by oblivious transfer”. Technical 
Memo TR-81, Aiken Computation Laboratory, Heu-vard University, 1981. 
A. Renyi, Probability Theory, North Holland, 1970. 

D. R. Stinson, Private communication, 12 February 1997. 

S. Wiesner, “Conjugate coding”, Sigact News, Vol. 15, no. 1, 1983, 
pp. 78 - 88. Original manuscript written circa 1970. 




346 



A Appendix: Information Theoretic Definition of 
Generalized Oblivious Transfer 

A cryptographic protocol is a multi-party synchronous program that describes 
for each party the computations to be performed or the messages to be sent to 
some other party at each point in time. The protocol terminates when no party 
has any message to send or information to compute. The protocols we describe 
in this paper all take place between two parties A and B. We denote by A and B 
the honest programs to be executed by A and B\ honest parties behave according 
to A and B and no other program. In the following definitions of correctness and 
privacy we also consider alternative dishonest programs A and B executed by 
^ or S in a effort to obtain unauthorized information from one another. The 
definitions specify the result of honest parties interacting together through a 
specific protocol as well as the possible information leakage of an honest party 
facing a dishonest party. We are not concerned with the situation where both 
parties may be dishonest as they can do anything they like in that case; we 
are only concerned with protecting an honest party against a dishonest party. 
At the end of each execution of a protocol, each party will issue an “accept” 
or “reject” verdict regarding their satisfaction with the behaviour of the other 
party. Two honest parties should always issue “accept” verdicts at the end of 
their interactions. An honest party will issue a “reject” verdict at the end of a 
protocol if he received some message from the other party of improper format or 
some message not satisfying certain conditions specified by the protocol. We also 
implicitly assume certain time limits for each party to issue messages to each 
other; after a specified amount of time a party will give up interacting with the 
other party and issue a “reject” verdict. 

As discussed in Sect. 7, a (j)-GOT is a cryptographic protocol for two par- 
ticipants that enables a sender A to transfer a one-bit function of two bits bo or 
bi to a receiver B who chooses secretly which function /(6o,6i) he gets. This is 
done in an all-or-nothing fashion, which means that B cannot get partial infor- 
mation about bo and bi at the same time, however malicious or computationally 
powerful he is, and that A finds out nothing about the choice / of B. 

Formally speaking we describe a two-party protocol that satisfies the follow- 
ing constraints of correctness and privacy, similar to those introduced for (j )-0T 
in [BCS96]. 

Let [Pq, be the random variable (since Pq and Pi may be proba- 

bilistic programs) that describes the outputs obtained by A and B when they 
execute together the programs Pq and P\ on respective inputs a and b. Similarly, 
let [Pqi 7^i]*(a)(ft) be the random variable that describes the total information 
(including not only messages received and issued by the parties but also the 
result of any local random sampling they may have performed) acquired dur- 
ing the execution of protocol [Pqj ^i] on inputs a and b. Let [Pq; jPi]p(o)(^) ^nd 
[Po, i°i]p(tt)(^) be the marginal random variables obtained by restricting the 
above to only one party P. The latter is often called the view of P [GMR89]. 




347 



In the following definition, the equality sign (=) means that the distributions on 
the l.h.s. and the r.h.s. are the same. When required, we shall use more flexi- 
ble definitions that would allow an exponentially small probability of failure or 
amount of unauthorized information leakage. Details are left to the reader. 

Definition? (Correctness). Protocol \A,S\ is correct for (j)-GOT if 

- V6o,fcie{0,l},/:{0,1}^-^{0,1} 

M,e](6o,6i)(/) = (c,/(6o.6i)) (1) 

- for any program A there exists a probabilistic program X s.t. 

V6o,6i€{0,l},/:{0,1}2^{0.1} 

•^,s]g(io,6i)(/) I B accepts = [A,B]j^{A' ( bo,h)){f) \ B accepts . (2) 



Intuitively, condition (1) means that if the protocol is executed as described, 
it will accomplish the task it was designed for: B receives bit /(6q,6i) and A 
receives nothing. Condition (2) means that in situations in which B does not 
abort, A cannot induce a distribution on B’& output using a dishonest A that 
she could not induce simply by changing the input words and then being honest. 

Let Bo, By and F be the random variables taking values over {0,1} and 
{0,1}^ ->• {0,1} that describe .4’s and B's inputs. We assume that both A 
and B are aware of the joint probability distribution of these random variables 
PBo,Bi,F- a sample bo,bi,f is generated from that distribution and fcoi^i is 
provided as .4’s secret input while / is provided as B’s secret input. 



Definitions (Privacy). Protocol [^,.5] is 
V5o,fli€{0,l},F:{0,l}2-^{0,l} 


private for (i)-GOT if 




— V6qi ^1 S {Oil} 3'i*d for any program A 






i(F;[ab]^(5o,Bi)(F) (Bo,5i) = (&o.fri)) =0 


(3) 


— V/;{0,1}^-4{0,1} and for any program B there exists a random variable 
F = f2(F):{0,l}2->{0,l}s.t. 


i((5o,Si);[as]*^(5o,5i)(F) 


F = f,F{Bo,Bi))=Q. 


(4) 



The above two conditions are designed to guarantee that each party is limited 
to the information he or she should get according to the honest task definition. 
Condition (3) means that A cannot acquire any information about F through the 
protocol. On the other hand, condition (4) means that B may acquire only one 
bit of deterministic information about Bq, Bi through the protocol. We do not 
require that B be given F{Bq,Bi) because there is no way to prevent him from 
obtaining any other F{Bq,Bi) through otherwise honest use of the protocol. 








SHA: A Design for Parallel Architectures? 



Antoon Bosselaers, Rene Govaerts and Joos Vandewalle 

Katholieke Universiteit Leuven, Dept. Electrical Engineering-ESAT 
Kardiiiaal Mercierlaan 94, B-3001 Heverlee, Belgium 

antoon. . bosselaersQesat . kuleuven .ac.be 



Abstract. To enhance system performance computer architectures tend 
to incorporate an increasing number of parallel execution units. This pa- 
per shows that the new generation of MD4-based customized hash func- 
tions (RIPEMD-128, RIPEMD-160, SHA-1) contains much more soft- 
ware parallelism than any of these computer architectures is currently 
able to provide. It is conjectured that the parallelism found in SHA-1 is 
a design principle. The critical path of SHA-1 is twice as short as that 
of its closest contender RIPEMD-160, but realizing it would require a 
7-way multiple-issue architecture. It will also be shown that, due to the 
organization of RIPEMD-160 in two independent lines, it will probably 
be easier for future architectures to exploit its software parallelism. 

Key words. Cryptographic hash functions, instruction-level parallelism, 
multiple-issue architectures, critical path analysis 



1 Introduction 

The current trend in computer designs is to incorporate more and more par- 
allel execution units, with the aim of increasing system performance. However, 
available hardware parallelism only leads to increased software performance, if 
the executed code contains enough software parallelism to exploit the potential 
benefits of the multiple-issue architecture. 

Cryptographic algorithms are often organized as an iteration of a common 
sequence of operations, called a round. Typical examples of this technique are 
iterated block ciphers and customized hash functions based on MD4. In many 
applications, encryption and/or hashing forms a computational bottleneck, and 
an increased performance of these basic cryptographic primitives is often directly 
reflected in an overall improvement of the system performance. 

To increase the performance of round-organized cryptographic primitives it 
suffices to concentrate the optimization effort on the round function, knowing 
that each gain in the round function is reflected in the overall performance of 
the primitive multiplied by the number of rounds. Typical values for the number 
of rounds are between 8 and 32. 

This paper confronts one class of cryptographic primitives, namely the cus- 
tomized hash functions based on MD4, with the most popular computer archi- 
tectures in use today or in the near future. Although only the MD4-like hash 
functions are considered in the sequel, much of it also applies to other classes of 



W. Fumy (Ed.): Advances in Cryptology - EUROCRYPT ’97, LNCS 1233, pp. 348-362, 1997. 
© Springer-Verlag Berlin Heidelberg 1997 




349 



iterated cryptographic primitives. Our main aim is to investigate the amount of 
software parallelism in the different members of the MD4 hash family, and the 
extent to which nowadays RISC and CISC processors are able to exploit this 
parallelism. This approach differs of the one in [BGV96] in that we now take the 
hashing algorithms as a starting point, and investigate the amount of inherently 
available parallelism, while previously we took a particular superscalar proces- 
sor as starting point, and investigated to which extent an implementation of the 
hashing algorithms could take advantage of that architecture. 

The next section considers the basic requirements a processor has to meet 
to enable efficient implementations of MD4-Iike hash functions. Section 3 gives 
an overview of currently available processor architectures, and lists their, for 
our purposes, interesting characteristics. Section 4 introduces the notion of a 
critical path. The available amount of instruction-level parallelism in the MD4- 
like algorithms is determined in section 5, and confronted with the available 
hardware of section 3. Finally, section 6 formulates the conclusions. 

2 Basic hardware requirements 

The customized hash functions based on MD4 include MD4 [Riv92a], MD5 
[Riv92b], SHA-1 [FIPS180-1], RIPEMD (RIPE95], RIPEMD-128 and RIPEMD- 
160 [DBP96]. It are all iterative hash functions using a compression function 
as their basic building block, the input to which consists of a 128 or 160-bit 
chaining variable and a 512-bit message block. The output is an update of the 
chaining variable. Internally, the compression function operates on 32-bit words. 
The conversion from external bit strings to internal word arrays uses a big-endian 
convention for SHA-1 and a little-endian convention for all the other hash func- 
tions. Depending on the algorithm the compression function consists of 3 to 5, 
possibly parallel, rounds, each made up of 20 (SHA-1) or 16 (all other) steps. Fi- 
nally, a feedforward adds the initial value of the chaining variable to the updated 
value. Every round uses a particular iion-linear function, and every step modifies 
one word of the chaining variable and possibly rotates another. Definitions of 
the round and step functions can be found in Tables 1 and 2, respectively. 



Multiplexer 


(a: A J/) V (x A «), (x A z) V (j/ A z) 


Majority 


(x A j/) V (x A z) V (t/ A z) 


Xor 


X (By 9 z 


Or-Xor (OX) 


(x V z) © y, (x V y) (B z, (y V z) © x 



Table 1. Definition of the Boolean round functions tised in MD4-family algorithms. 



This short overview allows us to conclude that an implementation of MD4- 
like hash functions will benefit from a processor that 





350 



Algorithm 


Step function using Boolean function; 


Mux 


Maj 


Xor 


Or- Xor 


MD4 


A~{A + f{B, C, D) + Xi + 


1 


2 


3 




MD5 


A~b + {A + f(B, C, D) + Xi + 


1.2 




3 


4 


SHA-1 


from step 17 onwards: 

Xi ;= (Xi 0 X;+2 © Xi+g © 

A := A -b B«<^ + f{C, D, E) + Xi + K 
C ;= 


1 


3 


2,4 




RIPEMD 


A := (A -b f{B,C, D) + X, -b 


1 


2 


3 




RIPEMD-128 


A;= {A+ f{B,C,D) + X, + K)^-^^^ 


2L,3R 

4L,1R 




1L,4R 


3L,2R 


RIPEMD- 160 


A := E + (A + /(B, C, D) + Xi + X) 
C := 


2,4 

1 




1L,5R 


5L,1R 

3 



Table 2. Definition of the step function used in MD4-family algorithms. Additions are 
modulo 2^^. Rotating x over s bits to the left is indicated as . A,B,C,D,E are 
the words of the chaining variable, K and s are constants, Xi is a message word or 
a combination thereof, and /() is one of the functions defined in Table 1. The last 4 
columns indicate in which rounds these functions are used, and, if different, whether 
in the left (L) or right (R) parallel line. 



1. supports 32-bit operations. 

2. can handle both little-endian and big-endian memory addressing. 

3. has a rotate instruction, and, in addition to the standard logical instructions 
and, or, and xor, instructions like nand, nor, nxor, and-not, and or-not, 
where the latter two are defined as, respectively, the and and or of the first 
operand and the complement of the second. Remark that xor-not would be 
the same as nxor. 

4. is able to keep all local variables in registers: 16 message words, 5 chaining 
words, and 2 auxiliary words. The RIPEMD-family, having two parallel lines, 
requires two copies of the last two items. So in total up to 30 registers are 
required. 

5. supports parallel execution of arithmetic or logical (ALU) operations. This 
item will be further investigated in the next section. 

3 Hardware parallelism 

The basic implementation technique, applied by all nowadays processors, to im- 
prove CPU performance is pipelining. A pipeline is organized in a number of 
stages, each of which executes part of a CPU instruction. Multiple instructions 
can overlap in execution by letting each stage in the pipeline complete a part 
of a different instruction. Hence, this technique allows different parts of con- 
secutive instructions to be executed in parallel. As a consequence, pipelining 
increases the CPU instruction throughput. The execution time of each instruc- 
tion usually slightly increases due to pipeline control overhead, but this is more 







351 



than compensated for by the increase in instruction throughput. The net effect 
is a substantial decrease in the number of clock cycles per instruction, ideally 
resulting in a speedup equaling the number of pipeline stages. 

To enhance performance even further two approaches are available: increase 
the number of pipeline stages, or use a number of parallel pipelines. The former- 
architecture is called superpipelined and emphasizes temporal parallelism, while 
the latter relies on spatial parallelism and comes in two flavors: superscalar or 
very long instruction word (VLIW). The aim of these techniques is to further 
increase the throughput. A superpipelined architecture achieves this by reduc- 
ing the clock cycle time, while a superscalar/ VLIW architecture tries to issue 
more than 1 instruction per clock cycle. However, there is a limit to what can be 
gained in terms of performance. This limit is determined by two factors: a soft- 
ware one and a hardware one. The .software factor is the amount of parallelism 
in the instruction stream, i.e., the amount of data dependencies between the 
instructions. In the next section the available instruction- level parallelism in an 
instruction stream will be characterized by the its critical path. The hardware 
factor is the impact of the increase in the number of pipeline stages or pipelines 
on the clock cycle time. 

In case of a superpipelined architecture limited parallelism in the instruction 
stream will eventually lead to so-called pipeline stalls due to data dependencies: 
the execution of an instruction has to be stalled until the data needed to complete 
it become available. But even in the absence of dependencies superpipelining 
will eventually run out of steam. The clock cycle time can never be lower than 
the overhead pipelining incurs on each stage: clock skew and pipeline register 
overhead [HePa96]. Therefore, increasing the number of pipeline stages beyond 
a critical point will result in performance degradation rather than performance 
gain. 

Further increase in performance can then only be obtained by either going 
superscalar or using VLIWs. 

— A superscalar processor has dynamic issue capability: a varying number of 
instructions is issued every clock cycle. The hardware dynamically decides 
which instructions are simultaneously issued and to which pipelines, based 
on issue criteria and possible data dependencies. 

— A VLIW processor has fixed issue capability: every clock cycle a fixed number 
of instructions is issued, formatted as one large instruction (hence the name). 
The software (i.e., the compiler) is completely responsible for creating a 
package of instructions that can be simultaneously issued. No decisions about 
multiple issue are dynamically taken by the hardware. 

An advantage of a VLIW over a superscalar is that the amount of required 
hardware can be reduced: choosing the instructions to be issued simultaneously 
is done at compile-time, and not at run-time. However, the superscalar has two 
major advantages: its code density is little affected by the available parallelism in 
the instruction stream, and it can be object-code compatible with a large family 
of non-parallel processors. The major challenge in the design of a superscalar 
processor will be to limit the imp^lct on the clock cycle time of issuing and 




352 



executing multiple instructions per cycle. This is illustrated by the fact that to 
date a factor of 1.5 to 2 in clock rate has consistently separated the highest clock 
rate processors and the most sophisticated multiple-issue processors [HePa96]. 

A final uniprocessor technique to exploit parallelism inherent in many algo- 
ritlims is single-instruction, multiple-data (SIMD) processing, a term originally 
only used in the context of multiprocessor environments [Fly66]. A SIMD in- 
struction performs the same operation in parallel on multiple data elements, 
packed into a single processor word. Tuned to accelerate multimedia and com- 
munications software, these instructions can be found in an increasing number of 
general-purpose processor architectures. Examples are Intel’s MMX [PeWe96], 
UltraSPARC’s VIS [TONH96], and PA- RISC 2.0 architecture’s MAX [Lee96]. 
MMH [HaKr97] is an example of a cryptographic hash function taking advan- 
tage of this new technology. Remark that a combination of multiple-issue and 
SIMD techniques creates in effect a kind of multiple-issue, multiple-data (MIMD) 
parallelism, also called SIMD-MIMD parallelism [Lee95j. 

CPUs can be differentiated among based on the type of their internal storage: 
a stack, an accumulator, or a set of registers. Only the latter class of CPUs will 
be considered in the sequel, since virtually every processor designed after 1980 
uses that architecture, called a (general-purpose) register architecture. A further 
division of this call can be made based on the way instructions can access memory 
and on the operands for a typical ALU instruction. 

- In a register-memory architecture memory can be accessed as part of any 
instruction, while in a register-register architecture memory can only be 
accessed with load and store instructions, for which reason the latter is also 
called a load-store architecture. 

- The maximum number of operands of an ALU instruction is either two or 
three. A three-operand instruction contains a destination and two source 
operands, while in a two-operand instruction one of the operands is both a 
source and a destination for the operation. 

- The number of memory operands of an ALU instruc:tion can vary from none 
to the maximum number of operands (2 or 3). 

It turns out that two^ combinations suffice to classify all the CPUs that will be 
considered: 

class 1 - a tree-operand load-store architecture (no memory operands in ALU 
instruction): MIPS, Precision Architecture (PA-RISC), PowerPC, SPAR.C, 
Alpha. 

class 2 - a two-operand register- memory architecture (at most one memory 
operand in ALU instruction): 80x86 (including Pentium and PentiumPro), 
680x0. 

Remark that the same division also distinguishes between RISC processors (class 
1) and CISC processors (class 2). 

^ Three suffice to classify nearly all existing machines, see [HePa96, Section 2.2] 




353 



Table 3 summarizes the characteristics of these architectures with respect 
to the requirements formulated at the end of the previous section, including the 
available hardware parallelism for ALU instructions [Sta96, HePa96, Bha96] . The 
figures are for the most recent processors of each architecture. As far as RISC 
processors are concerned, these are all 64-bit, although compatibility with their 
32-bit predecessors is retained. Since Alpha was designed as a 64-bit device, the 
support for 32-bit operations is limited. All RISC architectures include support 
for both little and big-endian addressing, but especially with PA-RISC and Al- 
pha architectures an implementation is not required to implement both address- 
ing modes. An Alpha implementation is not even required to support changing 
the convention during program execution, but only at boot time [Dig96]. The 
other RISCs can use either format, selectable in either software or hardware. 
Some architectures are more than 2-way superscalar, but none can issue more 
than 2 instructions in parallel of the ALU subset that interests us: add, logical 
operations, rotate/shift. 



Architecture 


MIPS IV 


PA 2.0 


PowerPC 


SPARC V9 


Alpha EV5 


80x86 


680x0 


Word Size 


64 


64 


64 


64 


64 


32 


32 


Integer regs 


31 


31 


32 


31 


31 


7 


8 


Endianness 


select. 


select. 


select. 


select. 


Little 


Little 


Big 


AND 


and 


and, 


and,nand. 


and, 


and, 


and 


and 






and-not 


and-not 


and-not 


and-not 






OR 


or, nor 


or 


or, nor, 


or, 


or. 


or 


or 








or-not 


or-not 


or-not 






XOR 


xor 


xor 


xor,nxor 


xor.nxor 


xor,nxor 


xor 


xor 


ROT 


No 


Yes“ 


Yes 


No 


No 


Yes 


Yes 


ALU pipe s 


1'72" 


2 


2 


2 


2 


2 


2 


32-bit subset 


Yes 


Yes 


Yes 


Yes 


No”^ 


(Yes) 


(Yes) 


Processor 


R4000, 


PA-8000 


PowerPC 


Ultra- 


21164 


Pentium 


68060 




RIOOOO 




620 


SPARC 




PPro 





“ The PA-RISC 2.0 instruction shrpw rl,r2,x,t shifts the concatenation of rl and 
r2 to the right over x bits, and puts the result in t. By taking rl = r2 = t it is in 
effect a rotate. 

^ The R4000 is superpipelined {but not superscalar) and its pipeline clock is twice the 
external clock frequency, so that 2 instructions can be issued per clock cycle. 

The R.IOOOO is superscalar, but not superpipelined. 

The Alpha architecture has just 3 32-bit integer operations: add, subtract, multiply. 
In addition, it has a set of in-register manipulation instructions on 32-bit quantities, 
such as extract, insert, and mask. 

Table 3. Overview of the latest designs of the most popular computer architectures. 
Only those characteristics are listed that are relevant when implementing MD4-like 
hash functions on these architectures. 



From this table we can conclude that, with respect to the requirements of 



354 



section 2, all listed RISC architectures fulfill requirement 4, while all of the first 3 
requirements are only met by the PowerPC, and to a varying degree by the other 
RISCs. The most serious problem for a number of RISCs is certainly the absence 
of a rotate instruction, while CISCs are severely restricted by their small register 
set. In section 5 it is investigated whether such a two-way superscalar architec- 
ture suffices to exploit all the parallelism available in the MD4-like algorithms, 
using the analysis restricted to MD5 in [Tou95] as a starting point. 

So far only superpipelined and/or superscalar processors have been consid- 
ered. Nowadays most multiple-issue processors are superscalar, but VLIW is 
experiencing a comeback in popularity. An example of the latter is the recently 
introduced 32-bit VLIW processor TM-1 of Philips Trimedia [SRD96]. Up to 5 
operations can be packed into a single VLIW-instruction and executed in a single 
clock cycle. Although intended for multimedia processing, its ability to execute 
5 ALU operations in parallel creates new opportunities for fast implementations 
of existing and for the design of new cryptographic algorithms [Cla97]. 

4 Critical path length 

To determine the amount of available instruction-level parallelism in the MD4- 
like hash functions, a critical path analysis is applied. To that end the algorithms 
are represented as a so-called activity-on-edge network, which is a directed graph 
with weighted edges. 

Geometrically a graph G is defined as a set V (G) of vertices Uj interconnected 
by a set E{G) of edges e;. In a directed graph or digraph an edge e, is a directed 
pair (vi,Vj) and represented by an arrow from the tail Vi to the head Vj. A 
directed path from Vp to Vq is a sequence of vertices Uj, , , . . . , , Vq such 

that {vp, Uj, >, {uj, , Uij), . . . , , Vq) are edges in E{G). 

A network is a graph with weighted edges, i.e., to each edge e a weight iu(e) is 
assigned. In an activity-on-edge network (AOELnetwork) tasks to be performed 
are represented by directed edges. The vertices in the network represent events, 
signaling the completion of certain activities. Activities represented by edges 
leaving a vertex cannot be started until the event at that vertex has occurred. 
An event occurs only when all activities entering it have been completed. The 
weight w{e) assigned to an edge e represents the time required to complete the 
activity associated with e. 

The length of a path is then defined as w{e), where e runs over all edges 
on the path. It is the time it takes to complete the task represented by the path. 
Assuming the activities in an AOE network can be carried out in parallel, the 
minimum time to complete the overall task is the length of the longest path from 
the start vertex to the termination vertex. Such a path is called a critical path. 

The evaluation of an arithmetic expression can be modeled as an AOE net- 
work. The start vertex corresponds to the availability of the input data, the 
activities represented by the edges correspond to the arithmetic operations con- 
stituting the expression, and the termination vertex corresponds to the result of 
the expression. The weight of an edge represents the time it takes to complete 




355 



the corresponding arithmetic operation. Maximum performance in evaluating 
an arithmetic expression will therefore be obtained by making its critical path 
as short as possible, using, as much as possible, parallel execution of individ- 
ual arithmetic operations. However, we must take into account that eventually 
the evaluation of the expression will take place on a multiple-issue architecture 
of the kind described in the previous section, i.e., all parallel execution units 
are pipelined, and all advance at the same rate. Unless out-of-order execution 
is supported, operations executed in parallel all deliver their result at the same 
moment, and therefore not faster than the time of the slowest operation. For this 
reason the critical path length will be expressed in terms of required pipeline 
stages, rather than in clock cycles. A measure similar to critical path length is 
depth, as used in the analysis of parallel algorithms [Ble96]. 

5 CPL analysis of the MD4-family 

The critical path length (CPL) of the MD4-like compression functions is mainly 
determined by the CPL of the individual rounds: the CPL of the feedforward is 
at most 2. The CPL of each round is equal to the sum of the CPUs of each step, 
so that the CPL of the compression function is easily derived from the CPL of 
a step. Each step updates one of the chaining words, and this updated word 
is then input to the next step. It is this basic dependency between steps that 
will determine their CPL. An inspection of two consecutive steps of every MD4- 
family member (see Appendix A) learns us that, except for SHA-1, the chaining 
word updated in one step is input to the Boolean function of the next step. The 
chaining word updated in that step only becomes available after adding in the 
Boolean result, rotating the resulting sum, and, in case of MD5 and RIPEMD- 
160, adding in another chaining word. SHA-1, in contrast, inputs the updated 
chaining word to a simple rotate, and the next chaining word becomes available 
after only 1 more addition. These lower bounds on a step’s CPL are summarized 
in Table 4. 



Algorithm 


Operations in CP 


min. CPL 


MD4, RIPEMD, RIPEMD-128 


/().+,«< 


3 


MD5, RIPEMD-160 


/(),-(-,«<,+ 


4 


SHA-1 


4-, «< 


2 



Table 4. Lower bound on the CPL of a step for each of the MD4-fainily members, 
assuming that it takes a minimum of 1 stage to deliver the result of a Boolean function. 



SHA-1 uses exactly the same kind and amount of operations as MD5 and 
RIPEMD-160 to update a chaining variable; 1 application of a Boolean function, 
4 additions, and a rotate. However, the lower bound on a step’s CPL is only half 





356 



that of MD5 and RIPEMD-160. This is due to the fundamentally different way 
SHA-l’s step function is organized compared to all the others: 

1. The rotate is not applied to a sum of intermediate results, but to an indi- 
vidual chaining variable. 

2. None of the arguments of the Boolean function are, except for a rotate, 
updated in the previous step, but in the step before that. 

This in itself might be a coincidence, but it turns out that the lower bound is 
also the actual CPL of each SHA-1 step, while this is not the case for any of the 
other hash functions, as will be shown in the sequel. This seeming coincidence 
might well be a design principle. 

For the other hash functions the Boolean function is part of the critical path. 
This results in an increase of the CPL if the result cannot be delivered within the 
1 stage assumed for the lower bound. This is, e.g., the case for the multiplexer 
(x /\ y) V (x A z) used in all MD4-like hash functions, ft would seem that from 
the moment x becomes available, and only using and, or, and xor, it takes 
three more stages to deliver the multiplexer result [Tou95]. However, using the 
mathematically equivalent expression ((y 0 z) A x) ® 2 ; [McC94, NMVR95], it 
only takes two more stages. Since this is still 1 more than the value assumed 
in the lower bound, this multiplexer lengthens the CPL of all steps using it 
by 1, except for SHA-1, where the Boolean function isn’t necessarily part of 
the critical path. Remark that, as far as CPL is concerned, it doesn’t always 
pay off to use the equivalent multiplexer expression. Consider the alternative 
multiplexer {xAz)V {y A~z) used in MD5, RIPEMD-128, and RIPEMD-160, and 
where the critical path runs through y. Without rewriting it only takes 2 stages 
to deliver the result from the point y becomes available, but using the equivalent 
expression ((x © y) A z) ® y the CPL increases to 3. 

The results of this CPL analysis for the MD4-family of hash functions is given 
in Table 5. The analysis is done using both 3-operand and 2-operand instructions. 
With the exception of the fust and third round steps of SHA-1, the shortest 
possible critical path is the same for both operand formats. However, for the same 
CPL a realization on a 2-operand architecture requires more parallel execution 
units than on a 3-operand one. This information can be derived from the last 4 
columns, where for both formats the required number of parallel units and their 
efficiency is given. The efficiency is defined as 

number of instructions in a step 
CPL X number of execution units ’ 

and is a measure of the average usage of the parallel execution units. The closer 
the value is to 1, the higher the degree of occupancy of the parallel units. 

Table 5 also shows that if 3-opcrand instructions are used the shortest pos- 
sible critical path of all SHA-1 steps is equal to the lower bound of Table 4: 2 
stages. This is illustrated for the most involved case in Figure 1: the step function 
of the third round using the majority function. As a result the CPL of SHA-l’s 
compression function is the shortest of all the MD4-like hash functions, as shown 




357 



Algorithm 


'Step 


CPL 


Regs 


3-op pipe 


2-op pipe 




function 


min. 


real 


state 


aiix. 




eff. 


# 


eff. 










16-1-4 


1 


w 


0.75 


2 


0.88 












2 


2 


1.00 


3 














1 


2 


1.00 


3 


0.78 


MD5 


Muxl 


4 


5 


16-1-4 


1 


li 


0.80 


2 


0.90 




Mux2 




5 




2 


2 


0.90 


3 


0.73 




Xor 




4 




1 


2 


0.88 


2 


1.00 




Or-Xor 




5 




1 


2 


0.80 


2 


Mm 


SHA-1 


Mux“ 




2/3'’ 


16-1-5 


5 


7l 


0.93 


□ 


m 




Xor 




2 




4 


6 


1.00 


7 






Maj 




2/3'' 




5 


7 


1.00 


6 






Xor 




2 




4 


6 


1.00 


7 








B 


4 


16-b8 


2 


4 


0.81 


4 


0.94 






m 


4 




4 


4 


0.94 


5 


0.95 






m 


3 




2 


4 


1.00 


5 


0.93 


RIPEMD-128 


Xor/Mux2 


B 


3/4'' 


16-1-8 


3 


4 


0.92 


T 


0.89 




Muxl /OX 


B 


4 




2 


4 


0.88 


4 


1.00 


RIPEMD-160 


Xor/OX2 


4 


4 


16-1-10 


2 


4 


1.00 


“si 


0.90 




Muxl/Mux2 




5 




3 


4 


0.95 


5 


0.88 




OXl/OXl 




5 




2 


4 


0.90 


4 


1.00 



“ The message expansion only starts at step 17. Therefore, the first 16 steps have only 
an efficiency of 0.64 and 0.61, respectively. 

** 3-operand/2-operand figure 
Xor/Mux2 figure 



Table 5. Results of the critical path analysis on the MD4-like steps. Listed are for each 
step the lower bound and the actual value of the CPL, the required number of state 
(message+chaining) and auxiliary registers, and the required number and efficiency 
of parallel ALU pipelines, both for 3-opcrand and 2-operand instruction formats. The 
figures for the last two rounds of RIPEMD-128 and RIPEMD-160 are not listed, since 
they are the same as those for the first two rounds. 



Algorithm 


CPL 

(stages) 


#Regs 


P 

# 


ipes 

Eff. 


MD4 


176 


22 


2 


0.91 


MD5 


304 


22 


2 


0.84 


SHA-1 


160 


26 


7 


0.85 


RIPEMD 


176 


28 


4 


0.91 


RIPEMD-128 


240 


27 


4 


0.90 


RIPEMD-160 


368 


29 


4 


0.96 



Table 6. The shortest possible CPLs of the MD4-like compression functions (without 
feedforward), and the required resources in terms of registers and parallel execution 
units. A 3-operand instruction format is assumed. 







358 










Fig. 1. The first 4 steps of SHA-l’s round 3 on a 7- way multiple-issue architecture 
using a 3-operand instruction format. Instructions executed in parallel are drawn on 
the same horizontal level, while instructions belonging to the same step are shown 
between diagonal dotted lines. A CPL of 2 stages is realized by executing 7 instructions 
of up to 4 different steps in parallel, as shown between the 2 horizontal dotted lines. 



in Table 6. Tb realize a CPL of 2 in round 1 and 3 of SHA-1, two parallel rotates 
of the same variable are required, see Figure 1. However, the rotate instruction 
is a unary operation, and hence its 2-operand format has equal source and desti- 
nation, making a parallel execution on the same variable impossible. Comparing 
the requirements of Table 6 with the resources of Table 3 shows that current su- 





















359 



perscalar architectures are only able to exploit all the available instruction-level 
parallelism of MD4 and MD5, two algorithms that as collision-resistant hash 
functions can no longer be considered as secure [Dob96a, Dob96b, Rob96]. 

The natural question to ask is: how realistic are the prospects for a general- 
purpose processor issuing one day 7 ALU instructions in parallel? Issuing many 
instructions per clock is difficult due to an increasingly complex issuing logic 
having a negative impact on the clock cycle time. Therefore, a high issuing rate 
will only pay off if the parallel execution units are kept sufficiently busy, so that 
the increase in cycle time will be more than compensated for by an enhanced 
throughput. The CPL analysis of SHA-1 shows that some algorithms certainly 
contain enough instruction-level parallelism to sustain such an increased issuing 
rate, but it is doubtful whether this will be the case for an average instruction 
sequence. 

The RIPEMD-family has, in contrast to SHA-1, two completely independent 
lines, leaving room for exploiting parallelism on a different level: the use of a 
multiprocessor system where the multiple-issue capability of each processor is 
limited, rather than a uniprocessor system with a single, very sophisticated pro- 
cessor capable of offering all the required parallelism on its own. In this respect 
[HePa96, Section 4.10] states that ‘to date, computer architects do not know how 
to design processors that can effectively exploit instruction-level parallelism in a 
multiprocessor configuration.’ The capability of placing two fully configured pro- 
cessors on a single die, which should be possible around the turn of the century, 
might result in a new type of architecture allowing processors to be more tightly 
coupled than before, and at the same time allowing them to achieve very high 
performance individually. Therefore, exploiting the instruction-level parallelism 
of the RIPEMD-family in the near future seems much more likely, since each of 
the independent lines only requires a two-way superscalar architecture, which is 
already a standard feature of most processors today. 

Algorithms with more instruction-level parallelism than the hardware they 
are executed on can provide, will inevitably see their CPL increase. This is illus- 
trated by means of the first step of MD4’s round 2. Using a 3-operand instruction 
format two parallel units suffice two exploit all available instruction-level paral- 
lelism, as illustrated in the left diagram of Figure 2. Remark that the efficiency 
is 100%. Using a 2-operand instruction format will increase the number of in- 
structions, as operations of the form A D op C will require two instructions: 
A B and A t— A op C. Due to the already 100% efficiency of the 3-operand 
instruction stream, 3 parallel units are now required to realize the same CPL 
of 4. Therefore, an implementation using only 2 parallel units will inevitably 
have a longer critical path. This is illustrated in the right diagram of the same 
figure, showing an increase in CPL of 1 stage. The left diagram is expected to 
be found on e.g., a PowerPC 604 [SDC94] or a PA 7100LC [BKQW95], while 
the right diagram resembles the situation on a Pentium processor, except that a 
Pentium cannot execute a rotate over more than 1 bit in parallel with any other 
instruction, resulting in a further increase of the CPL. 




360 



A Xo 





Fig. 2. The first step of MD4’s round 2 implemented on a two-way superscalar archi- 
tecture. Instructions executed in parallel are drawn on the same horizontal level, while 
instructions belonging to the same step axe shown between diagonal dotted lines. The 
left diagram uses 3-operand instructions, and shows both instruction pipes already oc- 
cupied for 100%. The use of 2-operand instructions increases the number of instructions 
by 2, either requiring an additional instruction pipe for the same CPL, or resulting in 
an increased CPL on the same architecture, as shown on the right. 



6 Conclusion 

The new generation of customized hash functions based on MD4 (RIPEMD-128, 
RIPEMD-160, SHA-1) contains more instruction- level parallelism than current 
general-purpose computer architectures are able to provide. The critical path of 
SHA-1 is shorter than any of the other MD4-like hash functions, but exploiting 
it would require a 7-way multiple-issue architecture. Exploiting the instruction- 
level parallelism of the RIPEMD-family in the near future seems more likely, 
due to their organization in two independent lines, each of which only requires 
a 2-way superscalar architecture. Opening up new perspectives is the recent 
introduction of a new 5- way VLIW processor, primarily intended for multimedia 
processing. 



References 

[BKQW95] M. Bass, P. Knebel, D.W. Quint, W.L. Walker, “The PA 7100LC micro- 
processor: a case study of IC design decisions in a competitive environ- 
ment,” HP Journal, Vol. 46, No. 2, April 1995, pp. 12-22. 

[Bha96] D.P. Bhandarkar, Alpha implementations and architecture, Digital Press, 
Boston, MA, 1996. 







361 



[Ble96] 

[BGV96] 

[Cla97] 

[Dig96] 

[Dob96a] 

[Dob96b] 

[DBP96] 

[FIPS180-1] 

[Fly66] 

[HaKr97] 

[HePa96] 

[Lee95] 

[Lee96] 

[NMVR95] 

[McC94] 

[PeWe96] 

[RIPE95] 

[Riv92a] 

[Riv92b] 



G. E. Blelloch, “Programming parallel algorithms,” Communications of 
the ACM, Vol. 39, No. 3, 1996, pp. 85-97. 

A. Bosselaers, R. Govaerts, J. Vandewalle, “Fast hashing on the Pentium,” 
Advances in Cryptology, Proceedings Crypto ’96, LNCS 1109, N. Koblitz, 
Ed., Springer-Verlag, 1996, pp. 298-312. 

C. Clapp, “Optimizing a fast stream cipher for VLIW, SIMD, and su- 
perscalar processors,” Fast Software Encryption, LNCS, E. Biham, Ed., 
Springer-Verlag, 1997, to appear. 

Alpha architecture handbook. Version S, Digital Equipment Corp., May- 
nard, MA, 1996. 

H. Dobbertin, “Cryptanalysis of MD4,” Fast Software Encryption, 
LNCS 1039, D. Gollmann, Ed., Springer-Verlag, 1996, pp. 53-69. 

H. Dobbertin, “The status of MD5 after a recent attack,” CryptoBytes, 
Vol. 2, No. 2, 1996, pp. 1-6. 

H. Dobbertin, A. Bosselaers, B. Preneel, “RIPEMD-160; A Strength- 
ened Version of RIPEMD,” Fast Software Encryption, LNCS 1039, 

D. Gollmann, Ed., Springer-Verlag, 1996, pp. 71-82. Final version avail- 
able via ftp at ftp . esat .kuleuven.ac .be/pub/COSIC/bosselae/ripemd/. 
FIPS 180-1, “Secure hash standard,” US Department of Commerce/NIST, 
Washington D.C., April 1995. 

M. Flynn, “Very high-speed computing systems,” Proceedings of the 
IEEE, Vol. 54, No. 12, 1966, pp. 1901-1909. 

S. Halevi and H. Krawczyk, “MMH: Software message authentication in 
the Gbit/second rates,” Fast Software Encryption, LNCS, E. Biham, Ed., 
Springer-Verlag, 1997, to appear. 

J. L. Hennessy and D.A. Patterson, Computer architecture: a quantitative 
approach, 2nd edition, Morgan Kaufmaiin Publishers, San Francisco, 1996. 
R. Lee, “Accelerating multimedia with enhanced microprocessors,” IEEE 
Micro, Vol. 15, No. 2, April 1995, pp. 22-32. 

R. Lee, “Subword parallelism with MAX-2,” IEEE Micro, Vol. 16, No. 4, 
August 1996, pp. 51-59. 

D. Naccache, D. M’Raihi, S. Vaudenay, D. Raphael!, “Can DSA be im- 
proved? Complexity trade-offs with the Digital Signature Standard,” Ad- 
vances in Cryptology, Proceedings Eurocrypt’94, LNCS 950, A. De Santis, 
Ed., Springer-Verlag, 1995, pp. 77-85. 

K. S. McCurley, “A feist portable implementation of the secure hash algo- 
rithm, III,” Technical Report SAND93-2591, Sandia National Laborato- 
ries, 1994. 

A. Peleg and U. Weiser, “MMX technology extension to the Intel archi- 
tecture,” IEEE Micro, Vol. 16, No. 4, August 1996, pp. 42-50. 

RIPE, “Integrity Primitives for Secure Information Systems. Final Re- 
port of RACE Integrity Primitives Evaluation (RIPE-RACE lOfO),” 
LNCS 1007, A. Bosselaers and B. Preneel, Eds., Springer-Verlag, 1995. 
R.L. Rivest, “The MD4 message-digest algorithm,” Request for Com- 
ments (RFC) 1320, Internet Activities Board, Internet Privacy Task Force, 
April 1992. 

R.L. Rivest, “The MD5 message-digest algorithm,” Request for Com- 
ments (RFC) 1321, Internet Activities Board, Internet Privacy Task Force, 
April 1992. 




362 



[Rob96] 

[SRD96] 

[SDC94] 

[Sta96] 

[Tou95] 

[TONH96] 



M. Robshaw, “On recent results for MD2, MD4 and MD5,” Bulletin No. 4, 
RSA Laboratories, November 1996. 

G.A. Slavenburg, S. Rathnam, H. Dijkstra, “The Trimedia TM-1 PCI 
VLIW media processor,” Hot Chips VIII Conference, Stanford University, 
Palo Alto, CA, 1996. 

S.P. Song, M. Denman, J. Chang, “The PowerPC 604 RISC microproces- 
sor,” IEEE Micro, Vol. 14, No. 5, October 1994, pp. 8-17. 

P.H. Stakem, A practitioner’s guide to RISC microprocessor architecture, 
John Wiley k. Sons, New York, 1996. 

J. Touch, “Performance analysis of MD5,” Proceedings of ACM SIG- 
COMM’95, Cornp. Comm. Review, Vol. 25, No. 4, 1995, pp. 77-86. 

M. Tremblay, J.M. O’Connor, V. Narayanan, L. He, “VIS speeds new me- 
dia processing,” IEEE Micro, Vol. 16, No. 4, August 1996, pp. 10-20. 



A Dependencies between consecutive steps 



This appendix lists, for each member of the MD4-family, the first two steps of 
an arbitrary round. 



- MD4 

A ;= (A + f{D, C, D)+Xi + 

D :={D + f{A, B, C) + Xj + 

- MD5 

A-.= B + {A + D) + X, + 

D:= A + {D + f{A,B,C) + Xj + 

- SHA-1 

Xi ;= {Xi ® Xi +2 e Xi+8 © 

E:=E + + f(B,C,D) + X, + K 

B := B«<30 



D:=D + E«<^^ + f(A,B,C) + Xi+i + K 
A := A<«“ 

- RIPEMD 



A := (A + f{B,C, D) + X.i -t- 
D:={D + f{A, B, C) + Xj 4- R:)«<*= 
- RIPEMD-128 

A~~{A + f{B, C, D) + Ai + K)«<”^ 
D -.= {D + f(A,B, C) + X, + K)«<^-^ 



RIPEMD-160 

A:=: E+{A + f{B,C,D)+Xi 
C -.= C<«i° 



+ K) 



«<S1 



E D + (E + /(A, B, C) + Xj + 
B := 




Fast Arithmetic Architectures for Public-Key 
Algorithms over Galois Fields GjP((2”)”^) 



Christof Paar 
(christof Qece . wpi . edu) 



Pedro Soria-Rodriguez 
(sorrodpSece . wpi . edu) 



ECE Department 
Worcester Polytechnic Institute 
Worcester, MA 01609, USA 



Abstract. This contribution describes a new class of arithmetic archi- 
tectures for Galois fields GF{2^). The main applications of the tirchitec- 
ture are public-key systems which are based on the discrete logarithm 
problem for elliptic curves. The architectures use a representation of the 
field GP(2*) as GF((2")”‘), where k = n - m. The approach explores bit 
parallel arithmetic in the subfield GF(2"), and serial processing for the 
extension field arithmetic. This mixed parallel-serial (hybrid) approach 
can lead to very fast implementations. The principle of these approach 
was initiaJly suggested by Mastrovito. As the core module, a hybrid mul- 
tiplier is introduced and several optimizations are discussed. We provide 
two different approaches to squaring which, in conjunction with the mul- 
tiplier, yield fast exponentiation architectures. 

The hybrid architectures are capable of exploring the time-space trade- 
off paradigm in a flexible manner. In particular, the number of clock 
cycles for one field multiplication, which is the atomic operation in most 
public-key schemes, can be reduced by a factor of n compared to all 
other known realizations. The acceleration is achieved at the cost of 
an increased computational complexity. We describe a proof-of-concept 
implementation of an ASIC for exponentiation in GE((2'*)^), m variable. 



1 Introduction 

Finite fields play an important role in public-key cryptography. Many public-key 
algorithms are either based on arithmetic in prime fields or on extension fields of 
GF{2), denoted by GF(2*). Examples of schemes which can be based on Galois 
fields of characteristic two include the classical Diffie-Hellman key establish- 
ment protocol [1], the ElGamal encryption and digital signature scheme [2], and 
systems which use elliptic [3] and hyperelliptic curves [4]. Public-key algorithms 
which explore the assumed difficulty of the discrete logarithm (DL) in finite fields 
require extension degrees k of about 1000 bits in order to provide reasonable se- 
curity [5, 6]. Schemes based on the DL problem over (non-supersingular) elliptic 
curves should have extension degrees of fe > 140 [7]. These long word lengths 
required for public-key algorithms lead to relatively low performance which is 
widely recognized as a major shortcoming in practical applications. The provi- 
sion of fast hardware architectures for arithmetic in Galois fields GF{2^) is thus 
of great interest. 



W. Fumy (Ed.); Advances in Cryptology - EUROCRYPT ’97, LNCS 1233, pp. 363-378, 1997. 
© Springer-Verlag Berlin Heidelberg 1997 




364 



In the case of algorithms over GF{2^), addition can be realized with k bit- 
wise exclusive OR operations. Addition is thus a fast and relatively inexpensive 
operation. The other field operation, multiplication, on the other hand is very 
costly in terms of gate count and delay. Multipliers can be classified into bit par- 
allel and bit serial architectures. The former ones compute a result in one clock 
cycle but have an area requirement of 0{k^). Bit serial multipliers compute a 
product in k clock cycles but have an area requirement of 0{k). The two types 
of architectures are a typical example of the space-time trade-off paradigm. The 
main idea of this contribution is the introduction of a new class of Galois field 
arithmetic architectures which are faster than bit serial ones but with an area 
complexity which is considerably below the k^ bound of bit parallel ones. It 
appears that avoiding the two extreme choices provided by bit parallel and bit 
serial architectures (very fast and large versus relatively slow and small) can lerid 
to architectures with more optimized performance/cost characteristic for many 
applications. We will refer to the new arithmetic schemes as hybrid architec- 
tures. The name and the principle of the architecture was first introduced in [8, 
Chapter 6]. The reference, however, only describes a hybrid multiplier and does 
not address optimizations, hybrid squaring, exponentiation, and applications to 
cryptography as it is done here. The main application of the new architecture are 
systems based on elliptic curves. It is not recommended to use the architecture 
for public-key algorithms based on the DL in finite fields since it is based on 
subfields. 

The outline of the remaining paper is as follows. Section 2 summarizes pre- 
vious approaches of finite field architectures in general and of public-key ar- 
chitectures in particular. Section 3 introduces the general structure of the new 
multiplier architecture together with several optimizations. Section 4 describes 
two architecture options for hybrid squaring which enables the design of fast ex- 
ponentiation units. Section 5 shows the design and results of a proof-of-concept 
ASIC implementation of an exponentiation unit. Section 6 concludes with a sum- 
mary of results and a description of areas of application. 



2 Previous Work 

The use of composite fields GF((2")"*) for public-key schemes, more specifically 
for elliptic curve systems, is described in [9, 10, 11]. All references deal with 
software implementations which explore table look-up for subfield arithmetic. 
Neither reference mentions the application to hardware architectures. 

Computer architectures for finite field arithmetic have drawn considerable 
attention over the past decade. The majority of publications have concentrated 
so far on finite field architectures for relatively small fields, thus being mainly 
relevant for the implementation of channel codes. The focus in the research 
literature has been on architectures for the arithmetic operations multiplication 
[12, 13, 14], inversion [15, 16, 17], and exponentiation [18, 19, 20]. Multiplication 
in GF(2*) is usually considered the crucial operation which determines the speed 
or throughput of a cryptosystem. Finite field architectures can be classified into 




365 



bit serial (one output bit per clock cycle) and bit parallel ones (all output bits 
are computed within one clock cycle.) All proposed schemes are based on either 
of these two types. Architectures which are of hybrid-type (partially serial, and 
partially parallel), as proposed here, have only be mentioned in the dissertation 
[8, Chapter 6]. 

Another classification of Galois field architectures is possible with respect to 
the basis representation of field elements. The most popular representations are 
standard (or polynomial or canonical), dual basis, and normal basis. Each basis 
representation has certain advantages; polynomial and dual basis representations 
are well suited for bit parallel multipliers, whereas normal basis representation 
allows for very efficient exponentiation. There have have been a few attempts to 
compare different types of arithmetic architectures for Galois fields. In [21, 22, 23] 
are multipliers in different basis representation compared. The focus is mainly 
on relatively small fields. Reference [18] compares normal and standard basis 
exponentiation architectures which are relevant for public-key algorithms. 

There is a relatively small number of published work on Galois field architec- 
tures especially designed for cryptographic applications. Many of the bit serial 
architectures mentioned above, however, also extend to cryptographic applica- 
tions. It should be noted that the 0(k^) complexity bound of parallel multi- 
plier architectures would result in unrealistically large arithmetic units for most 
public- key algorithms. So far, polynomial basis and normal basis representation 
have been used for cryptographic applications. 

There are two relevant reported implementations which gain their security 
from the discrete logarithm in finite fields. Reference [24] contains a detailed de- 
scription of an implementation of an exponentiation unit in the field GF(2®®^), 
using an optimal normal basis representation of field elements. Reference [25] 
deals with various aspects of bit serial arcliitectures in Galois fields for crypto- 
graphic applications. An implementation of an exponentiation unit in GF(2^^®) 
using polynomial basis representation is described. In addition, there is the early 
description of an implementation of a cryptosystem over GF(2^^^) [26]. 

More recently, there have also been publications about successful implemen- 
tations of elliptic curve systems in hardware. Reference [27] describes the realiza- 
tion of a non super-singular elliptic curve system over GF(2^^^). Field elements 
are represented with respect to an optimal normal basis. 

3 Hybrid Multipliers 
3.1 General Architecture 

This subsection describes the general structure of a hybrid multiplier architec- 
ture for Galois fields in standard basis. The critical operation in terms of system 
performance of almost all public-key algorithms is multiplication. Both expo- 
nentiation (in schemes based on the DL in finite fields) as well as inversion (in 
schemes based on the DL over elliptic curves) rely on finite field multiplication 
as elementary function. The new class of architecture for arithmetic in GF(2*) 
will be based on the following two principles: 




366 



1. Representation of the field GF(2*) as GF((2”)'"), where nm = k-, 

2. Application of bit parallel architectures to arithmetic in the subfield GF(2”) 
and of a bit serial structures to arithmetic in the extension field GF((2”)'"). 
The goal is to obtain an acceleration by reducing the number of clock cycles 
required for a field multiplication. 

We consider arithmetic in an extension field of GF(2"). The extension degree 
is denoted by m, so that the field can be denoted by GF((2”)”*). This field 
is isomorphic to GF(2")/(P(a:)), where P(x) is an irreducible polynomial of 
degree m over GF(2"). In the following, a residue class will be identified with 
the polynomial of least degree in this class. For a standard basis multiplier we 
consider two field elements U, V : 



U{x) = Um-ix”* ^ + • • • + UyX + Uq, 

V{x) = Vm-lX^~^ d h V\X + Vo, 

where Ui,Vi 6 GF(2"). Field multiplication with the two elements is performed 
by the operation W{x) = U{x) x V{x) mod P{x), with W being the product 
element, and P{x) = x"^ + ^ GF(2"), is a monic irreducible 

polynomial. A possible hardware realization for this operation, polynomial mul- 
tiplication modulo the field polynomial, is shown in Figure 1. At the kernel of 
the architecture is a linear feedback shift register (LFSR) of width n and length 
m. The registers of the LFSR hold the Wi coefficients. The coefficients pi of the 
field polynomial are the feedback coefficients of the the LFSR. 




Fig. 1. General structure of a hybrid multiplier in GF((2")’") 



If n = 1, the structure degenerates into one of the classical bit-serial archi- 
tectures for multiplication in the field GF(2'") (see, e.g., [28]). In this case all 
lines are one-bit connections. The U operand is fed into the architectures in a bit 

















367 



serial manner. The product coefficients tn, are available after m clock cycles, i.e., 
multiplication of m bit operands requires m clock cycles. All hardware imple- 
mentations of public- key cryptosystems we are ware of are designed with n = 1, 
i.e., m = k. For the large m occurring in public-key algorithms, the resulting 
processing time can be considerable. The complexity of the classical architecture 
with n = 1 is given by: 



#AND = 2nm = 2k, 

#XOR = nm = k, 

#REG - 3fc, 

#CLK = nm = k, 

where we consider the number of GF{2) multiplications (AND), additions (XOR), 
registers (in bits), an number of clock cycles for one multiplication, respectively. 

However, if the field GF(2*) needed in a given cryptographic application 
allows a composite field extension k = nm, n > 1, application of the same prin- 
cipal structure lea.ds to the new architecture. In that case, all connections are n 
bit wide buses and all arithmetic is performed in the subfield GF(2”). Assum- 
ing bit parallel architectures for the subfield multiplication and addition in the 
LFSR, the result is now computed in m clock cycles. We name this architecture 
a hybrid multiplier. The hybrid architecture reduces the number of clock cycles 
for one multiplication by a factor of n = k/m. 

One attractive feature of the hybrid architecture is that it is still highly reg- 
ular and modular which are very desirable features for VLSI realizations [29]. 
The multiplier can be built from m identical modules to which we will refer 
as “slices”. Each slice consists of two subfield multipliers, one subfield adder, 
and three n-bit registers. The only global communication required is an n-bit 
feedback path which is common to all slices. The architecture allows also full 
flexibility with respect to the field polynomial P{x) . Any monic m degree polyno- 
mial over GF(2") can be loaded into the architecture. The field polynomial can 
be changed during operation after each multiplication if desired. The complexity 
of the general hybrid architecture is given by: 

#AND = 2mn^ = 2nk, 

2k 

#XOR = m{2{n^ — 1) + n) = 2nk + k , 

n 

#REG = 3A:, 

#CLK = m, 

where a bit parallel subfield multiplier with a complexity of n^ AND gates and 
- 1 XOR gates [12] is assumed. It can be seen that the number of logic 
gates increases by roughly a factor of 2n compared to the traditional approach, 
whereas the number of registers is the same. The major advantage of the hybrid 
architecture is that the number clock cycles for one multiplication is reduced 
by a factor of n. The hybrid multiplier explores thus the time-space trade-off 
paradigm, where the degree of the trade-off (performance versus complexity) is 



( 1 ) 

( 2 ) 




368 



determined by the field decomposition n ■ m. The following section describes two 
optimizations of the general architecture which result in considerably reduced 
gate counts. 

3.2 Optimizations 

Binary Field Polynomials In many public-key algorithms, in particular for el- 
liptic curves schemes, the extension degree m can be chosen such that gcd(n, m) = 1. 
In this case a field polynomial P(x) which is irreducible over GF{2) is also irre- 
ducible over GF(2’^) [30]. In particular, we can now chose a P{x) with coefficients 
from GF{2). Field polynomials with binary coefficients result in a hybrid mul- 
tiplier with drastically improved complexity. A block diagram of the improved 
multiplier is shown in Figure 2. 




Fig. 2. Hybrid multiplier in GF((2")”*) with binary field polynomial 



In slice i, the signal from the feedback path is either passed through (coef- 
ficient Pi = 1 ) or not processed (coefficient pi = 0). Hence, in each slice, the 
general multiplier with the polynomial coefficient pi is now replaced by a binary 
n-bit switch. A switch can be realized efficiently in digital hardware. In a simple 
realization the switch can be built by n AND gates, but more efficient realiza- 
tions, e.g., through transmission gates [29], are eilso possible. If we neglect the 
switch complexity relatively to the other components, an over-all complexity of 

#AND = nk, (3) 

#XOR = A: + 1 - , (4) 

k 

#REG = 2fc -I- -, 
n 

#CLK = m. 



is achieved. 














369 



The architecture for binary field polynomials reduces the gate complexity 
roughly by half and the number of register bits by about one third, compared 
to the general hybrid multiplier from Section 3.1. It should be noted that the 
architecture still allows flexibility with respect to the field polynomial. Any ir- 
reducible polynomial with coefficients from GF{2) of degree m can be loaded 
into the architecture and serve as the field polynomial. Also, the high degree of 
modularity and regularity is preserved with the optimization. 

A further optimization is possible if the field polynomial is fixed. In this 
case switches are replaced by a connection or no connection. The optimum field 
polynomial for this option are trinomials 



Low Complexity Subfield Multiplication The gate complexities in Equa- 
tions (3) and (4) is now mainly determined by the bit parallel subfield multiplier. 
Applying a more efficient architecture to the subfield multiplication can thus be 
very beneficial to the over-all system complexity. 

So far we assumed a subfield architecture with a complexity of AND gates 
and — 1 XOR gates. The vast majority of bit parallel architectures has at least 
these gate counts. However, the complexity can be further reduced by applying 
the bit parallel architecture described in [31, 32]. The multipliers are based on 
a representation of the subfield GF(2") through another field decomposition 
GF((2°)P), where n — o ■ p. In particular, for values of n = 6, . . . , 14, n even, 
a representation of GE(2") = Gf ((2”/^)^) will lead to highly efficient archi- 
tectures. This range of values for n appears to be very attractive for practical 
applications such as elliptic curve cryptosystems. Elements A,B of the sub- 
field are now represented as polynomials with a maximum degree of one over 
GF(2"/2): A{y) = aiy + oo and B{y) = hy + bo, where Oo,ai,6o,fti € GF(2”/^). 
The complexity of one subfield multiplication can be reduced to #AND = 3/4n^ 
and #XOR « 3/4n^ A2n-3 [32]. 

It should be noted that for the specific value of n = 8, it has been shown 
[23] that a multiplier based on the decomposition GF((2‘*)^) requires in fact a 
considerably smaller number of gate equivalences in an ASIC implementation 
than architectures based on Gf (2®). At the same time, the former architecture 
was found to be faster than the latter ones which is an attractive feature since 
the subfield multiplier is in the critical path of the architecture. 

The structure of a hybrid multiplier with a decomposed subfield GF((2"'^^)^) 
is still given by Figure 2 but the complexity is reduced to: 

3 

#AND = -nk, 

#XOR= ^ n) 

#REG = (2 -I- -)*. 

n 

#CLK = m. 




370 



The introduction of the subfield decomposition has thus reduced the gate 
complexity by roughly 25%. If the complexity after the two optimization is com- 
pared with the one of the bit serial architecture given in (1) and (2), it can be 
seen that the time performance (clock cycles) improves by a factor of n, whereas 
the gate complexity increases only by a factor of 3/4n. 

3.3 Comparison to Normal Base Multipliers 

Some implementations of public-key schemes over fields GF{2^) use a normal 
basis (NB) representation of field elements [24, 27]. The computational complex- 
ity for one multiplication depends heavily on the specific field polynomial [33] . 
A lower complexity bound, however, is given for irreducible polynomials which 
have a corresponding optimum normal basis [34]. Assuming an optimum normal 
basis for non-composite fields GF{2'‘), the complexity is given by #AND = k, 
#XOR = 2fc — 2, and #CLK = k. The NB multiplier requires thus n times as 
many clock cycles as the hybrid multiplier but has a lower gate count. Other 
advantages of the hybrid architectures are that the field polynomial can be 
changed and that the field extension m can be alterable, as will be explained 
in Section 5.1. However, a major a.dvantage of a NB is that squaring can be 
accomplished through a simple cyclic shift whereas squaring with the hybrid 
architectures is more costly as will be described in the following section. 

4 Squaring and Exponentiation 

Besides multiplication, the other arithmetic operation of central importance 
for the implementation of public-key algorithms is squaring. Systems based on 
the the DL problem for non-supersingular elliptic curves require two multipli- 
cations and one inversion, with respect to time-critical arithmetic, per group 
operation if non-projective coordinates are used. A popular method for in- 
version in hardware is based on Fermat’s Little Theorem, according to which 
VA € GF(2*), A ^ 0. Although the extended Euclidean algo- 
rithm has a better theoretical performance, it requires more operands which in 
turn need more registers. It is thus less attractive for hardware implementations. 
The exponentiation in Fermat’s Theorem can be realized using addition chains. 
The standard approach to exponentiation is the square-and-multiply algorithm 
or one of its derivatives (additions chains, sliding window, etc.) [35]. If the inputs 
to the algorithm are denoted by A and e and the output is the value A®, each 
iteration stage of the algorithm performs one of the two operations: 

1. Multiply result of previous iteration with A. 

2. Square result of previous iteration. 

The hybrid multiplier architecture from the previous section can be applied to 
the first operation. In this section, two architectures for squaring a result of a 
preceding multiplication (or squaring) will be developed which dovetail with the 
multiplier architecture. 




371 



4.1 Serial Squaring 

The first architecture is based on the application of the general multiplier from 
Section 3 to squaring. We assume that the variable to be squared is contained 
in the registers Wi,i = 0, 1, ... ,m — 1, of a hybrid multiplier as a result of a 
preceding multiplication or squaring. In order to square this variable we must 
assure that its coefficients are available as both inputs of the multiplier. This is 
achieved by the following two operations: 

Preparation of operands: Before start of squaring, load values from register 
Wi into input register vi for i = 0, - 1. This can be performed 
simultaneously in all slices. 

Squaring: Perform regular multiplication in m clock cycles. In clock cycle i, 
connect variable v, as global input coefficient to all slices. 

A corresponding hardware architecture is shown in Figure 3. It can be seen 
that the squaring functionality can be added to the hybrid multiplier with a 
modest amount of additional hardware. In every slice two switches must be 
added. Globally, a single control unit must be added to the system. The switches 
sp perform the initial parallel loading of the Vi registers. The switches ss allow for 
the generation of the global input coefficients during the multiplication cycles. 
The control logic assures that switch (and only switch ssm-i-i) is closed 

during cycle i. The control logic can be realized as a counter with [logj m] bits 
and a ( [log 2 m] )-to-m decoder. 




Parallel 

Load 



Fig. 3. Structure of a serial squarer for GF((2’‘)"*) 



The squaring functionality can be added to all three multiplier options dis- 
cussed in Section 3. As stated earlier, switches can be realized very efficiently 
in ASIC implementations. The computational complexity of the expanded ar- 
chitecture is thus essentially the same as the hybrid multiplier complexity. It 














372 



should be noted that a single squaring requires the same time as a general mul- 
tiplication, namely m clock cycles. This is a major drawback compared to NB 
architectures which realize squaring in a single clock cycle by means of a cyclic 
shift. The following section introduces a much faster but more costly approach 
to squaring. 



4.2 Parallel Squaring 



Exponentiation with a k bit exponent requires fc — 1 squarings and on average 
not more than {k — l)/2 multiplications. Hence, a squaring architecture which 
requires fewer clock cycles than the one from the previous section can greatly 
improve the performance of a public-key system based on exponentiation. In the 
following we assume again that the input operand for the squaring is being held 
in the w registers of the hybrid multiplier. The architecture computes the result 
T{x) — W“^{x) in one clock cycle, and puts the ti coefficients in the wi registers. 
For the development of a parallel squarer, i.e., squaring within one clock cycle, 
we note that [30] 

( m — 1 \ ^ m — 1 m — 1 

lUiX* I = ~ XI (mod P{x)). 

i=0 / i=0 t=0 

A realization of this operation must provide the following two extensions to a 
hybrid multiplier; 

Subfield squaring: In every slice, compute w?. 

Shift of coefficients and modulo reduction: Shift and summation of the 
squared coefficients wf yield the result coefficients U. 

The first operation, subfield squaring, is uniformly applied to all slices and is 
local to each slice. The shifting and summation of the squared values, however, 
require communication between slices. The summation is heavily dependent on 
the field polynomial P{x) used. For a general description of the second operation 
we assume that P{x) has only binary coefficients, as suggested for the optimiza- 
tion of Section 3.2. Also, we assume that the degree m of P{x) is odd which is a 
necessary condition if the second optimization from Section 3.2 is applied. The 
squaring T{x) = W'^{x) can now be expressed in matrix notation as 



f to 


\ 




/lO • 
00 • 


O O 


tl 






0 1 • 


■ 0 




-J 




Voo ■ 


■ 1 



ro,o 


? 

1 


n.o 


• • Ci,(m-3)/2 


?'2,0 


• • C2,(m-3)/2 


Cm— 1,0 


Cm— l,(m — 3)/2 



fwl \ 

“^(m+l)/2 
\Wm-l / 



( 5 ) 



where Tjj € GF(2).This “reduction matrix” consists oftwo binary sub-matrices: 
A m X (m-t- 1)/2 matrix which describes the shift of the values Wq,. , 'w^m-i)/ 2 ^ 




373 



and a m X (m - l)/2 matrix which describes the modulo reduction summation 
of the coefficients actual elements of the reduction 

matrix depend heavily on the specific field polynomial P{x) used. In order to 
obtain low computational and connectivity complexities, it is desired to use 
an irreducible polynomial with low coefficient weight. In the following we will 
develop a complexity expression for field polynomials of the type P{x) — a;*" + 
a: + 1 which yield the lowest possible modulo reduction complexity. 

If we assume a non-optimized binary field polynomial of degree n for the 
subfield, it can be shown that one subfield squaring requires on average (n^ + 
2n— 4)/4 XORgates. Using the trinomizd P{x) — x"^+x + l results in a reduction 
matrix with m — 1 “one” entries. The matrix- vector multiplication in (5) requires 
then exactly (m - l)/2 additions in GF(2”) or n{m - 1)/2 XOR gates. Summing 
of the two complexity contributions, subfield squaring and modulo reduction, 
yields an over-all gate complexity for the parallel squarer of 

#XOR = i -t 3A: - 4^ - 2nj . 

If this gate complexity is compared to the gate count of the hybrid multiplier 
given in (3) and (4) it can be seen that the parallel squarer has about 1/8 of 
the hybrid multiplier gate count. Hence, adding a parallel squarer to a hybrid 
multiplier only modestly increase the computational complexity of the system 
if the field polynomial P{x) is chosen with care. It should be stressed at this 
point that the architecture performs one squaring in GF((2")"*) in one single 
clock cycle. The trade-off, however, is that the parallel squarer requires commu- 
nication between slices in a relatively irregular manner, so that the connectivity 
complexity of the system would increase. 

5 Proof-of-Concept Implementation 

In order to gain further experience with the new class of finite field architectures, 
we performed a proof-of-concept hardware implementation. First we will show 
how a hybrid exponentiator for variable field extension m can be built. 



5.1 Variable Field Order 

In some cryptographic applications it is desirable to allow for an alterable order of 
the underlying finite field. If we impose the restriction that the subfield order 2” 
is fixed, architectures with variable extension degree m can be designed from the 
hybrid multiplier and the serial squarer. We can essentially apply the architecture 
in Figure 1 for a design that allows for variable m. 

With a modest amount of additional hardware, an exponentiation architec- 
ture with m slices can be programmed to use s slices, where s < m. In order 
to perform arithmetic in the field GF((2")') with the m-slice architecture, the 
connection between slice s — 1 and slice s is open, and the output of register 
u;s_i is redirected to the feedback data bus. This can be done with one switch st 




374 




Fig. 4. General slice structure for variable extension degree m 



(see Figure 4) which connects the output of slice s - 1 (t in the figure) to either 
the next slice or to the feedback loop, but not both. Since the feedback happens 
now between slices s — 1 and s, only s slices are used to perform a multiplication. 
Slices s and above are unused because there is no communication between them 
and the lower s slices. 

As we mentioned, if only s slices are used, a connection has to be open and 
another connection made. This implies a need for digital switches between every 
pair of slices, and from the output of each slice to the feedback bus. Although 
switching can be done fast, this is not of major importance in this architecture 
because the actual switching from, say, s to t operative slices is done once to 
set up the desired configuration. However, during the actual computation of a 
product, these switches are located in the path of data flow, adding a delay to 
the propagation of the result from one slice to the next slice. 



5.2 Prototype Implementation 

We implemented the most general multiplier architecture described in Section 3.1 
and the serial squarer from Section 4.1, with variable m and n = 8 [36]. One slice 
of our implementation has thus the structure shown in Figure 4. We applied a 
full-custom design approach using CMOS technology. The choice of this technol- 
ogy allowed us to area-optimize the implementation as opposed to, for instance, 
a VHDL-based realization. The fabrication facilities available for this research 
project enabled us to use 2pm technology. Obviously, this imposes a serious speed 
limitation on the prototype compared to current technologies. However, our goal 
was not to compete with commercial or semi-commercial implementations but 
rather to demonstrate the principle feasibility of the architectures and to obtain 
reliable area estimations. Similarly we did not implement an entire public-key 
system. Our main interest was to study the underlying arithmetic architectures. 

For the two subfield multipliers in each design we used the architecture [12]. 
The implementation uses transmission gates (X-gates) to discern whether slice i 
is the final one in the chain or not. The transmission gates offer better switching 







375 



characteristic than a pass transistor implementation [29], but still introduce a 
delay in passive mode. The coefficients of 1 ^( 0 :), TT (a:), and P{x) are stored in 8- 
bit latches. This kind of memory requires less area than a SRAM implementation. 
While other types of memory elements can operate faster than a simple latch, 
they also consume more area. 

The test ASICs that we implemented contains four slices, each of which re- 
quires 3040 transistors or 760 gate equivalences. Using the optimized architecture 
in Section 3.2, the gate count would roughly be reduced by a factor of 1/2 and 
only 400 gates would be needed per slice. This estimate indicates that hybrid 
architectures with a subfield of n = 8 are feasible even for relatively large field 
orders. An example of a field order which is well suited for an elliptic curve cryp- 
tosystem is A: = 152 = 8 • 19. For this field order we obtain an estimate of about 
8000 gate equivalences for an exponentiation (or inversion) architecture. These 
would even allow for a realization with reprogrammable logic (FPGA, EPLD). 

Our implementation allows a clock rate of 3.5 Mhz. A multiplication in 
GF{2'‘) with A: = 152 = 8-19 takes thus 5.4//sec. Although we did not implement 
an elliptic curve system we can derive the following rough estimates: Using pro- 
jective coordinates a point addition requires 7 multiplications or 70.2/iisec, and 
a point doubling 13 multiplications or 37.8/isec. A point multiplication with a 
152-bit integer would then take 5.3 msec on average, using the standard double- 
and-add algorithm. This estimate does not take any overhead into account, but 
also ignores possible improvement of the double-and-add algorithm (A;-ary, slid- 
ing window). We would like to stress that the implementation is by no means 
speed optimized (but area optimized) and that we used relatively slow technol- 
ogy. We expect that the use of the parallel squaring architecture from Section 4.2, 
state-of-the-art technology (O.Sfim or smaller), and application of the faster sub- 
field multiplier from Section 3.2 would lead to a very competitive performance 
of the exponentiation unit. 



6 Conclusions and Applications 

We developed new types of multipliers and squarers for Galois fields GF(2*). The 
multiplication and squaring architectures are designed such that exponentiation 
units can be built which are of central interest for public-key cryptosystems. 
The underlying idea is to represent the field GF(2^) by GF'((2")"*), k = n-m, 
and to apply bit parallel architectures to arithmetic in the subfield and a serial 
approach to the extension field arithmetic. The main feature of the new hybrid 
architectures is that they have the potential of being considerably faster than 
previously reported public-key architectures for finite field arithmetic. Hybrid 
multiplication requires only m clock cycles as opposed to k in traditional fully 
bit serial approaches. The principal feasibility of the approach was demonstrated 
in an ASIC implementation for the field GF((2*)'"), m variable. It appears that 
hybrid architectures could result in improved performance for several important 
public-key schemes. 

The most attractive public-key schemes for the new architecture are those 




376 



based on elliptic curves. Most reported implementation of elliptic curve systems 
over Galois fields GF{2'‘) already use a composite field extension k (e.g., k = 155 
[27], or fc = 176 [10, 11]), although not all of them explore subfield arithmetic. 
This situation is ideally suited for hybrid architectures. Also, since values of 
k = 140 . . . 200 provide high security against currently known attacks, hybrid 
architectures for elliptic curves can be realized with a moderate gate complexity. 

Another type of cryptosystem which can be used in conjunction with our 
architecture are those based on hyperelliptic curves [4], practical aspects of which 
are described in [37, 38]. Secure one-way functions can be built with k < 100, 
where k can be composite. This range of field orders seems also very well suited 
for hybrid architectures. 

Finally we would like to stress that the DL in finite fields appears to be 
insecure for composite Galois fields GF((2")'") [5]. Hence it is not recommended 
to apply the hybrid architecture to such schemes, which include, for instance, 
the classical Diffie-Hellman key exchange protocol. 

References 

1. W. DifRe and M. Heilman, “New directions in cryptography,” IEEE Transactions 
on Information Theory, vol. IT-22, pp. 644-654, 1976. 

2. T. ElGamal, “A public-key cryptosystem and a signature scheme based on discrete 
logarithms,” IEEE Transactions on Information Theory, vol. IT-31, no. 4, pp. 469- 
472, 1985. 

3. V. Miller, “Uses of elliptic curves in cryptography,” in Lecture Notes in Computer 
Science 218: Advances in Cryptology — CRYPTO ’85, pp. 417-426, Springer- 
Verlag, Berlin, 1986. 

4. N. Koblitz, “Hyperelliptic cryptosystems,” Journal of Cryptology, vol. 1, no. 3, 
pp. 129-150, 1989. 

5. L. AdlemanandJ. DeMcirrais, “A subexponential algorithm for discrete logarithms 
over all finite fields,” in Advances in Cryptography — CRYPTO ’93, pp. 147-158, 
Springer- Verlag, 1993. 

6. D. Gordon and K. McCurley, “Massively parallel computation of discrete loga- 
rithms,” in Lecture Notes in Computer Science 453: Advances in Cryptology — 
CRYPTO ’92 (E. Brickell, ed.), pp. 312 - 323, Springer- Verlag, Berlin, August 
1993. 

7. A. Menezes, Elliptic Curve Public Key Cryptosystems. Kluwer Academic Publish- 
ers, 1993. 

8. E. Mastrovito, 'YLSI Architectures for Computation in Galois Fields. PhD thesis, 
Linkoping University, Dept. Electr. Eng., Linkoping, Sweden, 1991. 

9. G. Heirper, A. Menezes, and S. Vanstone, “Public-key cryptosystems with very 
sm 2 dl key lengths,” in Advances in Cryptology — EUROCRYPT ’92, pp. 163-173, 
May 1992. 

10. E. D. Win, A. Bosselaers, S. Vandenberghe, P. D. Gersem, and J. Vandewalle, “A 
fast software implementation for arithmetic operations in GjP( 2"),” in Asiacrypt 
’96, Springer Lecture Notes in Computer Science, 1996. 

11. D. Beauregard, “Efficient algorithms for implementing elliptic curve public- key 
schemes,” Master’s thesis, ECE Dept., Worcester Polytechnic Institute, Worcester, 
Massachusetts, May 1996. 




377 



12. E. Mastrovito, “VLSI design for multiplication over finite fields GF(2"')” in Lec- 
ture Notes in Computer Science 357, pp. 297-309, Springer- Verlag, Berlin, Maxch 
1989. 

13. M. Hasan, M. Wang, and V. Bhargava, “Modular construction of low complexity 
parallel multipliers for a class of finite fields GE(2'"),” IEEE Transactions on 
Computers, vol. 41, pp. 962-971, August 1992. 

14. S. Fenn, M. Benaissa, and D. Taylor, “GF(2’") multiplication and division over the 
dual base,” IEEE Transactions on Computers, vol. 45, pp. 319-327, March 1996. 

15. G. Feng, “A VLSI architecture for fast inversion in GF(2'"),” IEEE Transactions 
on Computers, vol. C-38, p. 1989, Oct 1989. 

16. M. Morii and M. Kasahara, “Efficient construction of gate circuit for comput- 
ing multiplicative inverses over GF(2'"),” Transactions of the lEICE, vol. E 72, 
pp. 37-42, January 1989. 

17. S. Fenn, M. Benaissa, and D. Taylor, “Finite field inversion over the dual base,” 
IEEE Transactions on VLSI Systems, vol. 4, pp. 134-136, March 1996. 

18. W. Geiselmann and D. Gollmann, “VLSI design for exponentiation in GF(2"),” in 
Lecture Notes in Computer Science 453: Advances in Cryptology — AUSCRYPT 
’90 (J. Seberry and J. Pieprzyk, eds.), (Sydney, Australia), pp. 398-405, Springer- 
Verlag, Berlin, January 1990. 

19. C. Wang and D. Pei, “A VLSI design for computing exponentiation in GF(2'") and 
its application to generate pseudorandom number sequences,” IEEE Transactions 
on Computers, vol. C-39, pp. 258-262, February 1990. 

20. M. Hasan and V. Bhargava, “Low complexity architecure for exponentiation in 
GF(2”'),” Electronics Letters, vol. 28, pp. 1984-86, October 1992. 

21. I. Hsu, T. TVuong, L. Deutsch, and I. Reed, “A compairison of VLSI architecture of 
finite field multipliers using dual-, normal-, or standard bases,” IEEE Transactions 
on Computers, vol. 37, pp. 735-739, June 1988. 

22. Y. Jeong and W. Burleson, “Choosing VLSI algorithms for finite field arithmetic,” 
in IEEE Symposium on Circuits and Systems, ISC AS 92, 1992. 

23. C. Paar and N. Lange, “A comparative VLSI synthesis of finite field multipliers,” 
in 3rd International Symposium on Communication Theory and its Applications, 
(Lake District, UK), July 10-14 1995. 

24. G. Agnew, R. Mullin, I. Onyschuk, and S. Vanstone, “An implemenation for a fast 
public-key cryptosystem,” Journal of Cryptography, vol. 3, pp. 63-79, 1991. 

25. W. Gollmann, “Algorithmenentwurf in der Kryptographie.” Habilitation, Fakultat 
fiir Informatik, Universitat Karlsruhe, Germany, August 1990. 

26. K. Yiu and K. . Peterson, “A single-chip VLSI implemenation of the discrete ex- 
ponential public-key distribution .system,” IBM Systems Journal, vol. 15, no. 1, 
pp. 102-116, 1982. 

27. G. Agnew, R. Mullin, and S. Vanstone, “An implementation of elliptic curve cryp- 
tosystems over F 2155 ,” IEEE Journal on Selected areas in Communications, vol. 11, 
pp. 804-813, June 1993. 

28. S. Lin andD. Costello, Error Control Coding: Fundamentals and Applications. En- 
glewood Cliffs, NJ: Prentice-Hadl, 1983. 

29. N. Weste and K. Eshraghian, Principles of CMOS VLSI Design, A Systems Per- 
spective. Addison- Wesley Publishing Compamy, second ed., 1992. 

30. R. Lidl and H. Niederreiter, Finite Fields, vol. 20 of Encyclopedia of Mathematics 
and its Applications. Reading, Massachusetts; Addison- Wesley, 1983. 




378 



31. V. Afanasyev, “On the complexity of finite field arithmetic,” in 5th Joint Soviet- 
Swedish Intern. Workshop on Information Theory, (Moscow, USSR), pp. 9-12, 
January 1991. 

32. C. PEiar, “A new architecture for a parallel finite field multiplier with low complex- 
ity based on composite fields,” IEEE Transactions on Computers, vol. 45, pp. 856- 
861, July 1996. 

33. W. Geiselmrinn, Algebraische Algorithmenentwicklung am Beispiel der Arithmetik 
in Endlichen Korpem. PhD thesis, Universitat Karlsruhe, Fakultat fur Informatik, 
Institut fiir Algorithmen und Kognitive Systeme, Karlsruhe, Germany, 1993. 

34. R. Mullin, I. Onyszchuk, S. Vanstone, and R. Wilson, “Optimal normal bases in 
GF(p”'),” Discrete Applied Mathematics, North Holland, vol. 22, pp. 149-161, 
1988/89. 

35. D. Knuth, The Art of Computer Programming. Volume 2: Seminumerical Algo- 
rithms. Reading, Massachusetts: Addison- Wesley, 2nd ed., 1981. 

36. M. Lehky, M. Nappi, and P. Soria-Rodriguez, “Coprocessor board for crypto- 
graphic applications.” Major Qualifying Project (Senior Thesis), 1996. ECE Dept., 
Worcester Polytechnic Institute. 

37. A.-M. Spallek, Kurven vom Geschlecht 2 und ihre Anwendung in Public-Key- 
Kryptosystemen. PhD thesis. Institute for Experimental Mathematics, University 
of Essen, Essen, Germany, July 1994. 

38. S. Paulus, Ein Algorithmus zur Berechnung der Klassengruppe quadratischer Ord- 
nungen uber Hauptidealringen. PhD thesis, Institute for Experimental Mathemat- 
ics, University of Essen, Essen, Germany, June 1996. 




Finding Good Random Elliptic Curves for 
Cryptosystems Defined over IF2" 



Reynald Lercier 

CELAR/CASSI, Route de Laille, F-35170 Bruz, FRANCE 
email: lercierfllii . polytechnique . f r 



Abstract. One of the main difficulties for implementing cryptographic 
schemes based on elliptic curves defined over finite fields is the necessary 
computation of the cardinality of these curves. In the case of finite fields 
IF , recent theoretical breakthroughs yield a significant speed up of the 
computations. Once described some of these ideas in the first part of 
this paper, we show that our current implementation runs from 2 up to 
10 times faster than what was done previously. In the second part, we 
exhibit a slight change of Schoof’s algorithm to choose curves with a 
number of points “nearly” prime and so construct cryptosystems based 
on random elliptic curves instead of specific curves as it used to be. 



1 Introduction 

It is well known that the discrete logarithm problem is hard on elliptic curves 
defined over finite fields F, . This is due to the fact that the only known attacks 
(baby steps giant steps [Sha71], Pollard p [Pol78] and Pohlig-Hellman [PH78] 
methods) are still exponential in log q. So, cryptosystems based on this problem 
can reach the same level of security as non elliptic versions with slightly higher 
computation rates and much smaller keys [SOOS95, HMV93]. 

The remaining difficulty to design elliptic cryptosystems is the computation 
of the cardinality of elliptic curves. Until recently, it was usually admitted that 
the cost needed to perform this task was too high for randomly chosen curves. 
To tackle this difficulty, one used to consider specific curves, for instance, su- 
persingular curves [Mil87, Kob87, Kal86, BC89, MV90] or curves with complex 
multiplication [Mor91, Kob91, Miy91, Miy93, LZ94, CTT94]. Unfortunately, su- 
persingular curves turned out to be disastrous and so, the use of specific curves 
seems to be quite compromised for cryptographical purposes [MOV93]. 

Thanks to recent theoretical as well as practical developments, the cost 
of computing the number of points on a randomly chosen curve is no longer 
prohibitive. For finite fields of characteristic two (specially attractive for in- 
dustrial applications), the improvements of Schoof’s algorithm due to Atkin, 
Elkies, Morain, Couveignes, Muller, Dewaghe, . . . [Sch85, CM94, Miil95, Sch95, 
CDM96] were significantly speeded up by replacing the isogeny computation 
algorithm of Couveignes [Cou94] with a recent heuristic algorithm of the au- 
thor [Ler96]. 

In this article, once briefly recalled some basic facts about elliptic curves 
in Section 2, we describe in Section 3 our current implementation of these ideas 



W. Fumy (Ed.): Advances in Cryptology - EUROCRYPT ’97, LNCS 1233, pp. 379-392, 1997. 
© Springer-Verlag Berlin Heidelberg 1997 




380 



and we explain in Section 4 how we can take advantage of Schoof ’s algorithm for 
speeding up the search of an elliptic curve with a nearly prime number of points. 
Among others, it turns out that we are now able to compute the cardinality 
of any elliptic curve for sizes of finite fields recommended for cryptographical 
schemes in only a few seconds, that is to say a speed up factor from 2 up to 10 
compared to our previous implementation [LM95a]. 

2 Elliptic Curves over IF 2 « 

Following [Men93] , we consider for our purposes elliptic curves over IF 2 ^ defined 
by 

Ea ■ + xy = + a, a 6 IF^^. (1) 

Any non supersingular elliptic curve is isomorphic to a curve or the twist of a 
curve defined by this equation. Invariant and discriminant Aa of Ea are equal 
to 



Ja = \/a and Aa = a. 



Let us note that Ea can not be supersingular because, in F 2 -x, an elliptic curve 
is supersingular if and only if its invariant is equal to 0 (on the explicit determi- 
nation of supersingular curves in finite fields of odd characteristic, see [Mor96]). 
The set of points of Ea over F 2 - is 

£a(F 2 n) = {Oij,} U € Wln,y^ + xy = x^+a). 

This set is a finite group and the formulae of the abelian group law are: 

- VP = (xp,yp) e Ea{W 2 n), P -i- = Oe^ + P = P, —P = {xp,yp + xp); 

- if P = {xp,yp), Q = (xQ,yQ),P ^ -Q, then, if P = Q,let A = xp + ypjxp, 
otherwise let A — (j/q -t- yp)/{xq -I- xp), and R = P + Q — {xp+q,yp+Q) is 
obtained by 

r xp+q = A^ -f A + Ip + xq, 

\ yp+Q = H^P + ^p+q) + xp+Q + yp- 

Some endomorphisms will be of special interest in Section 3, namely [m]a, 
multiplication by any integer m on Ea and the Frobenius map. These endo- 
morphisms are defined as follows. 



fml • >■ Ea{W2’>), , , . Pa(lF2") > Pa(fF2"), 

ix,y)^m{x,y), ' {x,y) ^ {x^" y'^). 

In particular, multiplication by 2 is given by 



[2]a: 



Pa(F2.) -4 Pa(F2-), 



(x,y) 






(2) 




381 



Equation (2) shows that there exists a single point Pa = (0, v^) of order 2 on 
these curves and the formulae of the translation by Pa are 



■£'a(lF2n) 1 Ea(lf'2’'), 

P = {x,y)< ^ P + Pa = 




I ® I /~ y 

1 X + V 



3 Counting Points on Elliptic Curves 

The number of points of a non supersingular elliptic curve Ea defined over IF2" 
satisfies Basse’s inequality [Sil86], 

#E„(F2n) =2" + l -t, with |t| < 2V^. (3) 

Before 1985, the only known methods to compute this number consisted in 
testing all the possible integers t in Equation (3) with baby steps giant steps 
variants [Sha71]. The complexity of these algorithms is asymptotically 0(2"^^). 
With the work by Schoof [Sch85] and the numerous improvements that followed, 
it is now possible to compute this cardinality with a probabilistic complexity 
asymptotically equal to 0(n®). We briefly describe this method in Section 3.1. 

The heart of these algorithms is the computation of isogenies. In practice, 
the most efficient method to do that in seems to be a heuristic algorithm 
due to the author [Ler96] and we overview it in Section 3.2. Thanks to this 
algorithm, first, we were able to speed up our previous implementation [LM95a] 
by a significant factor and secondly, compute the cardinality of an elliptic curve 
defined over F21301 . 



3.1 The Schoof-Elkies- Atkin Algorithm 

The characteristic equation satisfied by the Probenius map 4>a is 

4>l-[t]aO<Pa + n=0, (4) 

where 2" + 1 — t is the cardinality of Eo(F2«). First, Schoof remarked, that once 
restricted to the points of the kernel Ea[£] of the multiplication [£]q {£ an odd 
prime), Equation (4) yields 

+ [2" mod = [t mod o (5) 

Schoof’s algorithm simply consists in computing left hand side of Equation (5) 
for a point P of Ea[i\ and then in computing [k]a<)>a{P) for in 0, 1. 

When Equation (5) is satisfied for such an integer k, we have t mod £ = k and 
when t mod I is known for enough primes £, that is to say 

1[£>4V^, 

we deduce t by using the Chinese Remainder Theorem. 




382 



The main drawback of this method is that we are virtually forced to work 
not only with one point P of Ea[(\, but with all the points of Ea[Pi because 
the ^-coordinates of these points are basically defined in an extension of degree 
{P - l)/2 of Fzn. 

Works by Atkin and Elkies improved largely this situation by noticing that, 
for half the primes i (called Elkies primes), Ea[i\ contains at least one subgroup of 
I points. Thus, ^-coordinates of these points are defined in an extension of degree 
(£ — l)/2 of F 2 ». Indeed, this subgroup is the kernel of an isogeny (morphism) 
I between the curve Ea and an isogenous curve Ei, and, when such an isogeny 
exists, there exists another isogeny / from Et to Ea (called the dual isogeny) 
such that / o / = [^]a. Therefore, KerJ C Ker[^]a. 

Elkies and Atkin gave a construction based on modular equations to obtain 
Ef, for Elkies primes £. This works in any finite field. Unfortunately, the nice an- 
alytical method that they proposed for computing explicitly the isogeny between 
Ea and Ei, is only valid in finite fields of large characteristic [Sch95]. 



3.2 Isogenies between Elliptic Curves in 

Since the original method by Atkin and Elkies for computing isogenies between 
two elliptic curves Ea and Eb does not work in finite fields of small character- 
istic p [Sch95], only School’s algorithm was available during a while to count 
points [MVZ93]. Fortunately, the situation evolved quickly. 



Known Algorithms. The first attempt to fill this gap is due to Couvei- 
gnes [Cou94]. The computations take place in the formal group defined by Ea- 
The algorithm was successfully implemented by Morain and the author [LM95b] 
and we do not describe it here. 

But the time needed to compute isogenies with this method turned out to 
be the major cost while counting points. We recently proposed another algo- 
rithm which performs much better in practice. It is specially designed for the 
characteristic two case and is only based on algebreiic properties [Ler96]. 

Let us note that Couveignes proposed a third algorithm for finite fields of 
small characteristic p based on algebraic properties too. It consists in computing 
Ea[p*] and Efc[p*] and then, uses the fact that /(Eo[p*]) = But since the 

computations take place in extension of degree p'(p — 1)/2 ~ 2^, it does not seem 
obvious to implement it efficiently in practice even if its asymptotical complexity 
is attractive [Cou96, Cou97]. 



Lercier’s Approach. In finite fields of characteristic two, we exploited that 
there exists a unique point of order 2 on Thus, an isogeny I must satisfy 



I 0Ta = Tb0 I. 



Prom this, we deduced the following cheiracterization. 




383 



Theorem 1. Let Ea and Ef, he two elliptic curves defined over F 2 " . Let £ be an 
odd integer, and d = {£ — l)f2. Let I be an isogeny of degree I between Ea and 

Et given by {X,Y) ^ ^here Q{X),G{X),H{X),K{X) 

in F 2 "[X] with degrees at most d, £, 3<i and 2d. Then G(X) = XP^(X) where 
P{X) is a polynomial of degree d such that gcd{P{X),Q{X)) = 1 and 

X‘^Q{V^fX) = ^{V^)^P{X), 

or equivalently via X — > \fajX, 

= (6) 

v<i 

In order to explicitly compute the isogeny 7, it turns out that we have to find 
conditions satisfied by the polynomial Q(X). This is achieved from the fact that 
I O [2]a = [2]t o I. 

Corollary 2. With the notations of theorem 1, polynomials P{X) and Q{X) 
must satisfy 

X‘^Q{X + V^/X) = Q(X)P{X), (7) 

and 

{X + X‘‘P {X + ^/E/X) = XP^(X) + VbQ^(X), (8) 

where P(X) = ^P(X^) and Q(X) = (polynomials whose coefficients 

are square roots of coefficients of P{X) and Q{X)). 

Even if Equation (8) is a linear equation satisfied by Q(X) over F 2 , asymp- 
totic complexity to inverse this system is 0(£^n). This is too high in practice. 

To decrease this complexity, we considered Equation (7) and replaced the 
resolution of this linear system over F 2 " by a quadratic system over F 2 . This 
yields an algorithm (we do not describe here) whose heurististic complexity is 
0(£^). 



3.3 Results 

We had an old implementation of the SEA (Schoof, Elkies, Atkin) algorithm 
including Couveignes’s first algorithm to compute isogenies and using an “ad 
hoc” C arithmetic of F 2 " [LM95a]. We completely rewrote it with our approach 
and the formalism of ZEN library [CL96a, CL96b] which enables us to handle any 
finite field given recursively by a polynomial basis over a subfield (for instance, 
F 2 ) . Since we restrict ourselves to the case of the characteristic two in this article, 
we only give accurate timings for finite fields F 2 ", even if this implementation 
allows us to compute the number of points of an elliptic curve defined over other 
finite fields [Ler97]. 




384 



IF2G5 


min 


max 


avg 


F289 


min 


max 


avg 


F2105 


min 


max 


avg 


^max 


31 


31 


31 


^max 


41 


43 


41 


•^max 


47 


47 


47 


*u 


1 


3 


2 


#u 


1 


5 


2 


#c 


1 


5 


2 




8 


10 


9 


*L 


8 


12 


10 


*L 


10 


14 


12 


#M 


10® 


10® 


310® 


#M 


310® 


3-10® 


310^ 


*M 


610® 


610® 


510® 




2.8 


2.9 


2.9 


A^" 


7.3 


9.5 


7.5 




15 


16.5 


15.7 




0.7 


2.4 


1.8 


A2"^ 


3.5 


6.8 


5.1 


A®"" 


6.4 


12.2 


8.9 


Schoof 


0 


0 


0 


Schoof 


0 


0 


0 


Schoof 


0 


0 


0 


9 


0 


0 


0 


9 


0 


0 


0 


9 


0 


0 


0 


k 


0 


0 


0 


k 


0 


0 


0 


k 


0 


0 


0 


M-S 


0.3 


1.1 


0.7 


M-S 


0.4 


5.8 


2.2 


M-S 


1.5 


30.1 


6.5 


Total 


4.2 


6.1 


5.4 


Total 


11.4 


18.9 


14.9 


Total 


24.9 


53.3 


31.1 



Table 1. Statistics obtained with our first implementation for small finite fields IF 2" ■ 



All the timings (in seconds) are obtained on a DEC Alpha workstation 250 
(266 MHz, 4*^ generation). First, we did the same benchmarks as in [LM95a], 
That is to say, we measured the running times for 50 random curves y'^ + xy = 
x^ + a where a € F 2 [T] defined over Faes ~ F 2 [r]/(T®® + 1), 

F 289 ~F2[T]/(T*^4-T®+T^ + T3 + 1 ) and F 2105 ~ F 2 [r]/(Tio 5 + 1 ) with 
the so-called “dynamic strategy”. Results are given in Table 2. For the sake of 
comparison, we also give statistics obtained with our previous implementation 
on this machine in Table 1. 



IF 26 S 


min 


max 


avg 


F 289 


min 


max 


avg 


1F2105 


min 


max 


avg 


^max 


31 


31 


31 


^max 


41 


41 


41 


^max 


41 


47 


42 




0 


5 


1 


*u 


0 


4 


2 




1 


6 


3 




6 


11 


10 




9 


13 


11 




8 


13 


10 


#M 


10® 


310® 


2 10® 




610® 


810^ 


610® 


#M 


510® 


2-10® 


10® 


A®“ 


2.2 


4.2 


3.3 


A®“ 


5.1 


7.8 


6.4 


A®" 


6.6 


11.5 


8.8 


A®"’ 


0,3 


0.9 


0.6 


A®"” 


0.8 


2.6 


1.9 


A®"^ 


1.0 


3.8 


2.6 


Schoof 


0 


0 


0 


Schoof 


0 


0.4 


0 


Schoof 


0 


3.8 


0.3 


9 


0 


0 


0 


9 


0 


0.2 


0 


9 


0 


1.7 


0.5 


k 


0 


0 


0 


k 


0.2 


0.8 


0.6 


k 


0.8 


3.8 


2.4 


M-S 


0.6 


1.5 


1.0 


M-S 


1.1 


5.2 


2.2 


M-S 


1.1 


9.8 


2.9 


Total 


3.8 


5.9 


4.9 


Total 


9.2 


14.6 


11.2 


Total 


13.4 


24.5 


17.3 



Table 2. Statistics for small finite fields IF2" . 



We give: tmax, the maximal prime used; the number of U (resp. L) primes; 
#M, the number of combinations; the cumulated time for Schoof’s 






385 



algorithm; computing isogenies (gi) and t mod £ when £ is Elkies (fc); the time 
for the match and sort program; the total time. For each category, minimal, 
maximal and average values are given. 

Since for these “small” finite fields, the time needed to compute isogenies is 
negligible, we only gain a speed up factor from 1.1 up to 1.8 thanks in part to the 
arithmetic of ZEN which is faster than the arithmetic of our old implementation. 
We did the same experiments for three larger finite fields, F 21 S 6 ~ F 2 [T]/(T 1 ^® + 
+ r'* + 1), F 2196 ~ F 2 [T]/(T 1 *»« + T^ + 1) and Fj^oo ~ F 2 [r]/(T=^°“ + 
+ \) (note that our previous implementation is really too slow to provide 
similar statistics) . Results are given in Table 3. 



F2155 


■SS3 


max 


avg 






max 


avg 


F2300 


min 


max 


avg 


p 

^max 


59 


71 


60 


^max 


73 


79 


74 


^max 


97 


157 


113 




4 


11 


7 


#u 


7 


13 


10 


#c 


11 


19 


16 




7 


IS 


10 


i£L 


8 


15 


11 


#L 


9 


20 


14 


#Af 


310" 


7-10® 


710'^ 




10® 


yio^® 


810* 


#M 


510® 


510" 


540^“ 




30.4 


56.1 


40.6 


A^'‘ 


113 


475 


147 


A^" 


744 


1761 


996 




4.4 


13.9 


7.8 




8.8 


31.8 


21.6 




46 


387 


119 


Schoof 


0 


14.8 


4.3 


Schoof 


m 


55.5 


17.9 


Schoof 


0 


551 


199 


9 


1.5 


21.6 


7.1 


9 


9.9 


419 


40.6 


9 


76 


568 


287 


k 


7.4 


ES 




k 


29.2 


90.1 


58.9 


k 


354 


961 


601 


M-S 


2.9 




6.5 


M-S 


5 


86.9 


22.9 


M-S 


14 


1510 


230 


Total 


58.8 


132 


86.5 


Tot^ll 


m 


fliHl 




Total 


1519 


3686 


2434 



Table 3. Statistics for leirger finite fields F 2 ". 



At this point, the advantage of our approach clearly appears. The time needed 
to compute isogenies is (completely) negligible while it used to be the main 
cost in [LM95a] and we gain a speed up factor from 4 up to 10 on the whole 
computation. 

To compare Couveignes’s and Lercier’s approaches for two huge finite fields, 
we collected the Scime data in Table 4 for the curve 

Ex ■■ y'^ + xy = T? + + T'® + r® + T® + + T® + T® + + T®. 

For the first finite field, F 21009 ~ F 2 [T]/(T^“® + T^^+T'^ + T'^ + 1), we first used 
Couveignes’s and Lercier’s algorithms (respectively noted JMC and RL). For the 
second field, F 2 i 3 oi ~ F 2 [T]/(T^®°^ + + T + 1), we could only use 

Lercier’s (the current record, as of February 1997). The results are striking, the 
time needed to compute isogenies is completely negligible in the case of F 21301 
(3 days) while it was the main cost for F 21009 (77 days). 

To improve the SEA algorithm, future implementation should now optimize 
computations of mod ^ . 






































386 







X'i- 


Schoof 


9 


k 


M-S 


Total 


F 21009 (JMC) 


15d 3h 


2d 21h 


lOd 14h 


77d 21h 


23d 3h 


Ih 


121d 15h 


1F21009 (RJj) 


9d 16h 


Id 9h 


2h 


Id 2h 


7d 7h 


2h 


19d llh 


F 21301 (RL) 


51d 7h 


8d 12h 


2d 8h 


3d 17h 


36d 14h 


2h 


103d 5h 





1 ^max 1 




oa 




IF 21009 (JMC) 


K Q 


57 


46 


igBh ill 


F2l009(RL) 




48 


47 




lF2i3oi(RL) 




88 


50 


1 



Table 4. Timings for huge finite fields (days/hours). 



4 Finding Random Elliptic Curves with Nearly Prime 
Cardinality Efficiently 

Since the best known attacks against the discrete logarithm problem on elliptic 
curves are 

1. the Weil pairing reduction for supersingular curves, 

2. the baby steps giant steps, Pollard-p and Pohlig Helman algorithms for other 
curves, 

“good curves” for cryptographical purposes only have to be defined in a not 
too small finite field and to be of “nearly prime” cardinality (to avoid point 2.) 
different from 2", 2" + 1 ± v^, 2” + 1 ± \/2”+i and 2” + 1 ± 2v^ (to avoid 
point 1.) if defined over F 2 ". 

In Section 4.1, we describe an early abort strategy suggested by Morain that 
takes advantage of the SEA algorithm to quickly throw away most of the curves 
which do not meet this condition. For convenience, we explain it only in the case 
of elliptic curves Ea defined over F 2 - . But this strategy obviously works in any 
finite field. Then we give timing and examples of “good curves” provided by this 
strategy. 

4.1 Early Abort Strategy 

The Algorithm. An elliptic curve Ea given by Equation (1) is non supersin- 
gular and has a point Qa = (-^ 0 ,^ 0 ) of order 4. Thus, the previous condition 
can be reformulated as follows : “A good curve Ea is a curve defined over F 2 » 
with n > 60 whose cardinality is 4 times a prime” . 

To find such “good curves”, we proceed as follows: 

1. Choose an element a e at random. 

2. As explained in Section 3, compute t mod I with the SEA algorithm checking 
during the computation that, for each Elkies prime (.^2, 

2" + 1 - t mod f yi 0. 









387 



Otherwise, this means that the number of points of the curve is divisible by 
t. In this case, go to step 1. 

3. Check that the cardinality of the curve is 4 times a prime, otherwise go to 
step 1. 

First of all, let us note that when 2” + 1 — t mod £ = 0 for a prime £, this 
means there is a point of order £ in Ea- Therefore, there exists an isogeny of 
degree £ defined from Ea, and £ is necessarily an Elkies prime. 

Let us observe too that it is better to test the primality of the cardinality 
at step 3., first, by a pseudo primality test, and then by an exact primality 
prover (for instance ECPP [Mor90]). But for practical reasons, we used MAPLE 
system [CGGW85]. 

In practice, this algorithm works well because most of the time a curve does 
not have a prime cardinality, we will see in Section 4.1 that this cardinality is 
divided by a small integer. Since we choose primes £ as small as possible in the 
SEA algorithm, we detect such a curve quickly. 



Analysis. A theorem by Howe [How93], which extends works by Lenstra [Len87] 
(see also [Kob88]), gives the asymptotic behavior of the probability that a ran- 
dom elliptic curve over a finite field IP, has (fc S IN*) dividing the number M 
of its points when q oo. 

Theorems. There is a constant C < 1/12 4- 5\/^/6 ~ 1.262 such that the 
following statement is true. Given a prime power q, let r be the multiplicative 
arithmetic function such that for all primes £ and positive integers k 



1 






£''-1(^-1) 
£>'-1-1 + r - 1 



£>'-i-a-i(£2 _ 1) 



t/g / 1 mod 
if q = I mod fi*. 



where p = \k/i] and v = [fc/2j . Then for all positive integers N, the probability 
TTq^N that a random elliptic curve over IF, has N dividing the number of its 
W q-defined points satisfies 



|7T,,JV - l’,(iV)| < 



CAx(A)2‘"(^) 



where xi^) — rix|7v('^ 4- 1)/(A — 1) and cr{N) denotes the number of prime 
divisors of N . 



Let gq{£) be the probability that the smallest prime factor of M is 1. This 
probability is equal to 



=»•,(£) n 

primes \<l 




388 



In our particular case, we test random curves Ea defined over 1F2" with car- 
dinalities always divisible by 4, so, we make the strong assumption that Howe’s 
theorem applies, except for ^ = 2, and the probabilities r2"(^*) become 

{ 1 for £ = 2 and k — 1, 

for ^ — 2 and A; > 1, 
r2.(£*’) forf> 2. 

Consequently, the probability 7„(^) we detect at step 2. of the algorithm that 
an odd prime £ divides the cardinality of Ea is equal to 

TnW = Pnim - Pn(2")) J[ {I ~ Pn(A)). 

odd primes A<^ 

This quantity can be easily computed for n fixed but for any n, one can only 
state that 

Pn(2^) = i and < Pn(£) < 

and therefore, 3/16 < 7„(3) < 1/4, 5/96 < 7n(5) < 5/64, 7/256 < 7n(7) < 
95/2304 . , . 

4.2 Results 

The implementation described in Section 3.3 allows to compute a lot of such 
“good curves” defined over F26S, F289, F2io*, F2156 and F2198 in a reasonable 
amount of time. Accurate statistics are given in Table 5. 

In this table, it turns out that the theoretical estimations of Section 4.1 are in 
practice satisfied most of the time, except maybe for the number of cardinalities 
divisible by 5 in F219S (150 instead of 1000 • 25/394 ~ 65). In any case, the 
probability that an elliptic curve has its number of points divisible by a small 
prime £ is quite high and thus we need to compute the cardinality of a curve 
completely in only a few case. Some of these “good curves” are given in Table 6 
with the notation oq -f ai2 -f- • • ■ + a„_i 2"“^ = oq -I- aiT -I- 1- 

5 Conclusion 

Thanks to the contribution of many people in this field of research, computing 
the number of points of an elliptic curve defined over F2» can be performed 
quickly in practice. Prom this, we derived an efficient way for finding elliptic 
curves with nearly prime cardinality. Even if it is harder to obtain such curves 
when n increases (only 2 among 1000 for n = 196), we think this method is of 
special interest for cryptographic purposes. 

Performances we obtained for F2" are now similar to the performances we 
already had for the case Fp with p, a large prime, and this, even when the size 
of the finite field increases. The only problem which remains in practice is the 
case p odd and small. But, as what was foreseen at the end of [LM95a] for p = 2, 
we hope that the situation might evolve very soon for these fields too. 




389 





IF266 


IF289 


1F2106 


IP2156 


1F2196 


# curves tested 


1000 


1000 


1000 


1000 


1006 


10007 „( 8 ) 


500 


500 


Mm 


500 


500 


cardinalities divisible by 8 


491 


507 




509 


490 


10007„(3) 


250 






250 


187.5 


cardinalities divisible by 3 


255 






236 


177 


10007n(5) 


62.5 


62.5 


62.5 


62.5 


65.1 


# cardinalities divisible by 5 


63 


73 


74 


68 


150 


10007„(7) 


31.2 


31.2 


27.4 


31.2 


41.2 


# cardinalities divisible by 7 


28 


28 


59 


25 


34 


# cardinalities divisible by £ > 11 and 
detected at step 2 . of the algorithm 


29 


52 


43 


61 


57 


# cardinalities divisible by ^ > 11 and 
detected at step 3. of the algorithm 


116 


77 


62 


96 


90 


Number of “good curves” 


18 


10 


6 


5 


2 


Total time needed (s) 


1277 


1733 


2231 


14112 


30254 



Table 5, Statistics of the “early abort strategy”. 





a 


Cardinality 


1F265 


2108463510029530717 


2^ • 9223372038308612213 


IP 265 


15004298573160993787 


2^ • 9223372035176356667 


1F289 


362244896591784868971148794 


2^ • 154742504910673945144969913 


F 289 


57852959336296070429241468 


2^ ■ 154742504910669983358163303 


F 2 IO 5 




2^ • 101412048018258375221758412\ 
06867 


6543935405400478025717290432415 


IF 2 IO 5 


229598971637660130735605103979\ 

54 


2^ • 101412048018258342875266703\ 
03267 


IF 2155 


838795043588789173323661086541 \ 


2^ ■ 114179815416476790484662819\ 
27805319915233345669 


2790131341725747 


F 2155 


110027220687791685841747180597\ 


2^ • 114179815416476790484662992\ 
30130487707830550127 


77371906785324958 


IF 2 I 96 


250334701759594235393108283794 \ 


2^ ■ 251084069415467230553431576\ 
92759220570140916154347737377983 


64907961567696239688511281965 


IF 2 I 96 


4042848188 1 2 14303633 1 788043458 \ 


2^ • 251084069415467230553431576\ 
92813473113492187155697729606263 


37154824320382480200588296980 



Table 6. Curves with a nearly prime cardinality. 
















































































390 



Acknowledgments. I would like to thank Francois Morain for fruitful discus- 
sions. I also thank the referees for careful comments and for suggesting a title 

corresponding closer to the content of this article. 

References 

[BC89] A. Bender and G. Castagnoli. On the implementation of elliptic curve 
cryptosystems. In G. Brassard, editor, Advances in Cryptology, volume 
435 ot Lecture Notes in Comput. Set., pages 186-192. Springer- Verlag, 1989. 
Proc. Crypto ’89, Santa Barbara, August 20-24. 

[CDM96] J.-M. Couveignes, L. Dewaghe, and F. Morain. Isogeny cycles and the 

Schoof-Elkies-Atkin algorithm. Research Report LIX/RR/96/03, LIX, 
April 1996. 

[CGGW85] B. W. Char, K. O. Geddes, G. H. Gonnet, and S. M. Watt. MAPLE Refer- 
ence Manual, Fourth Edition. Symbolic Computation Group, Department 
of Computer Science, University of Waterloo, 1985. 

[CL96a] F. Chabaud and R. Lercier. A new toolbox for finite extensions of finite 
fields. Rapport technique, Laboratoire d’Informatique de I’Ecole polytech- 
nique (LIX), 1996. In preparation. 

[CL96b] F. Chabaud and R. Lercier. ZEN, User Manual Laboratoire 
d’Informatique de I’Ecole polytechnique (LIX), 1996. Available at 
http : //lix . polytechnique . f r/' zen/. 

[CM94] J.-M. Couveignes and F. Morain. School’s algorithm and isogeny cycles. 

In L. Adleman and M.-D. Huang, editors, ANTS-I, volume 877 of Lecture 
Notes in Comput. Sci., pages 43-58. Springer- Verlag, 1994. 1st Algorithmic 
Number Theory Symposium - Cornell University, May 6-9, 1994. 

[Cou94] J.-M. Couveignes. Quelques calculs en theorie des nombres. These, Uni- 

versite de Bordeaux I, July 1994. 

[Cou96] J.-M. Couveignes. Computing /-isogenies with the p-torsion. In H. Cohen, 

editor, ANTS-II, volume 1122 of Lecture Notes in Comput. Sci., pages 59- 
65. Springer- Verlag, 1996. 

[Cou97] J. M. Couveignes. Isomorphisms between towers of artin-schreier exeten- 
sions over a finite fields. Draft, 1997. 

[CTT94] J. Chao, K. Tanada, and S. Tsujii. Design of elliptic curves with con- 
trollable lower boundary of extension degree for reduction attacks. In 
Y. Desmedt, editor. Advances in Cryptology - CRYPTO '94, volume 839 
of Lecture Notes in Comput. Sci., pages 50-55. Springer- Verlag, 1994. 
Proc. 14th Annual International Cryptology Conference, Santa Barbara, 
Ca, USA, August 21-25. 

[HMV93] G. Harper, A. Menezes, and S. Vanstone. Public-key cryptosystems with 
very small key length. In R. A. Rueppel, editor. Advances in Cryptoloy 
- EUROCRYPT '92, volume 658 of Lecture Notes in Comput. Sci., pages 
163-173. Springer-Verlag, 1993. Workshop on the Theory and Application 
of Cryptographic Techniques, Balatonfiired, Hungary, May 24-28, 1992, 
Proceedings. 

[How93] E. W. Howe. On the group orders of elliptic curves over finite fields. Com- 
positio Mathematica, 85:229-247, 1993. 




391 



[Kal86] 

[Kob87] 

[Kob88] 

[Kob91] 

[Len87] 

[Ler96] 

[Ler97] 

[LM95a] 

[LM95b] 

[LZ94] 

[Men93] 

[Mil87] 

[Miy91] 

[Miy93] 

[Mor90] 

[Mor91] 



B. S. Kciliski, Jr. A pseudo-random bit generator based on elliptic loga- 
rithms. In Proc. Crypto 86, volume 263 of Lecture Notes in Comput. Sci., 
1986. Proceedings Crypto ’86, Santa Barbara (USA), August 11-15, 1986. 
N. Koblitz. Elliptic curve cryptosystems. Math. Comp., 48(177);203-209, 
January 1987. 

N. Koblitz. Primaility of the number of points on an elliptic curve over a 
finite field. Pacific Journal of Mathematics, 131(1):157-165, 1988. 

N. Koblitz. Elliptic curve implementation of zero-knowledge blobs. Jour- 
nal of Cryptology, 4(3);207-213, 1991. 

H. W. Lenstra, Jr. Factoring integers with elliptic curves. Annals of Math., 
126:649-673, 1987. 

R. Lercier. Computing isogenies in GF(2"). In H. Cohen, editor, ANTS-II, 
volume 1122 of Lecture Notes in Comput. Sci., pages 197-212. Springer- 
Verlag, 1996. 

R. Lercier. Courbes elliptiques et cryptographic. These, Ecole polytech- 
nique, 1997. Dreift. 

R. Lercier and F. Morain. Counting the number of points on elliptic curves 
over finite fields: strategies and performances. In L, C. Guillou and J.-J. 
Quisquater, editors. Advances in Cryptology - EUROCRYPT ’95, number 
921 in Lecture Notes in Comput. Sci., pages 79-94, 1995. International 
Conference on the Theory and Application of Cryptographic Techniques, 
Saint-Malo, France, May 1995, Proceedings. 

R. Lercier and F. Morain. Counting the number of points on el- 
liptic curves over Fp» using Couveignes’s algorithm. Rapport de 
Recherche LIX/RR/95/09, Laboratoire d’Informatique de I’Ecole poly- 
technique (LIX), 1995. Available at http://lix.polyteclmique.fr/"nio- 
rain/ Articles. 

G.-J. Lay and H. G. Zimmer. Constructing elliptic curves with given group 
order over large finite fields. In L. Adleman and M.-D. Huang, editors, 
ANTS-I, volume 877 of Lecture Notes in Comput. Sci., pages 250-263. 
Springer- Verlag, 1994. 1st Algorithmic Number Theory Symposium - Cor- 
nell University, May 6-9, 1994. 

A. J. Menezes. Elliptic curve public key cryptosystems. Kluwer Academic 
Publishers, 1993. 

V. Miller. Use of elliptic curves in cryptography. In A. M. Odlyzko, editor, 
Advances in Cryptology, volume 263 of Lecture Notes in Comput. Sci., pages 
417-426. Springer- Verlag, 1987. Proceedings Crypto ’86, Santa Barbara 
(USA), Augustll-15, 1986. 

A. Miyaji. On ordinary elliptic curve cryptosystems. In Advances in Cryp- 
tology - ASIACRYPT ’91, volume 739 of Lecture Notes in Comput. Sci., 
pages 50-55. Springer- Verlag, 1991. 

A. Miyaji. Elliptic curves over Fp suitable for cryptosystems. In J. Seberry 
and Y. Zheng, editors. Advances in cryptology - AUSCRYPT ’92, volume 
718 of Lecture Notes in Comput. Sci., pages 479-491. Springer- Verlag, 1993. 
Workshop on the theory and application of cryptographic techniques, Gold 
Coast, Queensland, Australia, December 13-16, 1992. 

F. Morain. Courbes elliptiques et tests de primalite. PhD thesis, Universite 
Claude Bernard-Lyon I, September 1990. 

F. Morain. Building cyclic elliptic curves modulo large primes. In D. 
Davies, editor. Advances in Cryptology - EUROCRYPT ’91, volume 547 of 




392 



[Mor96] 

[MOV93] 

[Miil95] 

[MV90] 

[MVZ93] 

[PH78] 

[Pol78] 

[Sch85] 

[Sch95] 

[Sha71] 

[Sil86] 

[SOOS95] 



Lecture Notes in Comput. Sci., pages 328-336. Springer-Verlag, 1991. Pro- 
ceedings of the Workshop on the Theory and Application of Cryptographic 
Techniques, Brighton, United Kingdom, April 8-11, 1991. 

F. Morain. Classes d’isomorphismes des courbes elliptiques supersin- 
gulieres en caracteristique > 3. To appear in Utilitas Mathematica. Avail- 
able at http: //lix. polytechnique . fr/'morain/, March 1996. 

A. Menezes, T. Okamoto, and S. A. Vanstone. Reducing elliptic curves 
logarithms to logarithms in a finite field. lEEETIT, 39(5):1639-1646, 1993. 
V. Muller. Ein Algorithmus zur Bestimmung der Punktanzahl elliptischer 
Kurven iiber endlichen Korpem der Gharakteristik grofier drei. PhD thesis, 
Technischen Fakultat der Universitat des Saarlandes, 1995. 

A. Menezes and S. A. Vanstone. The implementation of elliptic curve cryp- 
tosystems. In J. Seberry and J. Pieprzyk, editors. Advances in Cryptology, 
number 453 in Lecture Notes in Comput. Sci., pages 2-13. Springer-Verlag, 
1990. Proceedings Auscrypt ’90, Sysdney (Australia), January 1990. 

A. J. Menezes, S. A. Vanstone, and R. J. Zuccherato. Counting points on 
elliptic curves over F 2 »>». Math. Comp., 60(201):407-420, January 1993. 

S. Pohlig and M. Heilman. An improved algorithm for computing loga- 
rithms over gf(p) and its cryptographic significance. IEEE Transactions 
on Information Theory, 24:106-110, 1978. 

J. M. Pollard. Monte Carlo methods for index computation (mod p). 
Math. Comp., 32(143);918-924, July 1978. 

R. School. Elliptic curves over finite fields and the computation of square 
roots mod p. Math. Comp., 44:483-494, 1985. 

R. School. Counting points on elliptic curves over finite fields. 
J. Theor. Nombres Bordeaux, 7:219-254, 1995. Available at 

http://www.emath.fr/Maths/Jtnb/jtnbl995-l.html. 

D. Shanks. Class number, a theory of factorization, and genera. In Proc. 
Symp. Pure Math. vol. 20, pages 415-440. AMS, 1971. 

J. H. Silverman. The arithmetic of elliptic curves, volume 106 of Graduate 
Texts in Mathematics. Springer, 1986. 

R. Schroeppel, H. Orman, S. O’Malley, and O. Spatscheck. Fast key ex- 
change with elliptic curve systems. In Don Coppersmith, editor, Advances 
in Cryptology - CRYPTO ’95, volume 963 of Lecture Notes in Comput. 
Sci., pages 44-56. Springer-Verlag, 1995. 




Incremental Cryptography and 
Memory Checkers 



Marc Fischlin 



Fachbereich Mathematik/Informatik 
Johann Wolfgang Goethe-Universitat Frankfurt am Main 
PSF 111932 

60054 Frankfurt/Main, Germany 

e-mail: marc @ informatik.uni-frankfurt.de 
URL: http://www.uni-frankfurt.de/'roessner/group/marc/marc.html 



Abstract. We introduce the relationship between incremental crypto- 
graphy and memory checkers. We present an incremental message au- 
thentication scheme based on the XOR MAGs which supports inser- 
tion, deletion and other single block operations. Our scheme takes only a 
constant number of pseudorandom function evaluations for each update 
step and produces smaller authentication codes than the tree scheme 
presented in [BGG95]. F\irthermore, it is secure against message substi- 
tution attacks, where the adversary is allowed to tamper messages before 
update steps, making it applicable to virus protection. From this scheme 
we derive memory checkers for data structures based on lists. Conversely, 
we use a lower bound for memory checkers to show that so-called mes- 
sage substitution detecting schemes produce signatures or authentication 
codes with size proportional to the message length. 



1 Introduction 

The notion of incremental cryptography has been introduced by Bellare, Gol- 
dreich and Goldwasser in [BGG94] and refined by the same authors in [BGG95]. 
Suppose that we are given a block-by-block message M and its cryptographic 
form /r, i.e. encryption, signature or authentication code. Let M' be a message 
that is obtained by applying a text modification from a set A4 of modifications 
to M. With an incremental scheme supporting the text modifications M a cryp- 
tographic form n' for M' can be produced much faster from fi and M than it 
would take to compute it from scratch. 

Our results. We present the incremental authentication scheme IncXMACC that 
supports single block insertion and deletion, and therefore other operations like 
replacement. To update an authentication code for inserting or deleting a sin- 
gle block at a given position, this scheme performs only a constant number of 
pseudorandom function evaluations. Additionally, insertion can be done without 
accessing the message and deletion merely needs the corresponding block. 



W. Fumy (Ed.): Advances in Cryptology - EUROCRYPT ’97, LNCS 1233, pp. 393-408, 1997. 
© Springer-Verlag Berlin Heidelberg 1997 




394 



Security against Message Substitution Attacks. Our scheme remains secure if 
an adversary is allowed to alter messages before applying the update algorithm 
— while the shorter authentication code must be kept on some secure medium. 
Security against these message substitution attacks implies application to virus 
protection. To protect a large file stored on some insecure medium against unau- 
thorized alternation, authenticate this file and store the shorter authentication 
code in some incorruptible memory. Whenever an authorized user modifies the 
file, we can update the authentication code very fast using the incremental algo- 
rithm. Conversely, it is very unlikely that an attacker, e.g. a virus, will be able 
to produce a forgery even if he tampers the documents before update steps. In 
this sense, message substitution attacks lie between (total) substitution attacks, 
where both the message and signature can be tampered before update steps, and 
basic attacks, where the adversary isn’t allowed to alter messages or signatures 
before updating. 

Related Work. In [BGG94] a hash-and-sign scheme based on an incremental hash 
function was presented. The signature consists of the hash value h and a signature 
for h produced by an arbitrary non-incremental signature scheme. To update a 
signature, increment the hash value and sign this new hash value. Unfortunately, 
this scheme only supports single block replacement and it is provably not secure 
against message substitution attacks. 

In [BGG95] the same authors present the tree scheme supporting single block 
operations like insertion and deletion (and the more powerful modifications cut 
and paste to devide a text into two documents resp. to append a document to 
another). The tree scheme takes /?(logn) verification and authentication steps 
for the abovementioned operations, where n is the number of blocks of the docu- 
ment. For the cut modification, the tree scheme is much faster than IncXMACC, 
while our scheme supports the insert, delete and paste modifications applying a 
pseudorandom function only a constant number of times. Moreover, our scheme 
produces considerably smaller authentication codes than the tree scheme, though 
the authentication code must be kept on a secure medium. In contrast to that, 
signatures and authentication codes produced by the tree scheme can be stored 
in the insecure memory. A randomized version of the tree scheme is given in 
[M97]. This scheme hides the fact whether the incremental or non-incremental 
algorithm has been used to produce a signature. 

Our scheme IncXMACC refines the incremental authentication scheme pre- 
sented in [BGG95], which is also based on the XOR MAGs. This scheme has 
several disadvantages in comparison to our scheme: It doubles the key size by 
using two pseudorandom functions and it requires meiny random bits. For an 
update step the incremental algorithm reads more than the corresponding block 
and security has only been proven for basic attacks. 

Memory Checkers. Using IncXMACC, we present a method to obtain memory 
checkers for lists and similm data structures. The memory checker model has 
been introduced by Blum et al. in [BEG‘^94] (a prelimary version appeared in 
[BEG‘*'91]). Informally, a memory checker for a data structure T> verifies that 




395 



for a given sequence of operations, an implementation of V works correctly for 
this sequence. If not, the checker outputs some error message. There are two 
sources of errors: The program implementing the data structure can be buggy 
or the memory where the elements are stored can be tampered by an adversary, 
e.g. a virus. Intuitively, incremental schemes that are secure against message 
substitution attacks seem to provide a suitable method to design such checkers. 
To do so, keep a signature for the current memory content and update the 
signature accordingly for an operation for V. Nevertheless, in some settings the 
checker should be able to update the signature given only the old signature and 
the element resp. block that for example shall be deleted or inserted, without 
accessing other parts of the memory content. IncXMACC has this property. 

Making the connection between memory checkers and incremental schemes 
we transfer a lower bound for checkers to incremental schemes. Informally, an 
incremental scheme is message substitution detecting, if it detects when relevant 
parts of message have been altered before calling the update algorithm. We give 
a sufficient condition under which an incremental message substitution detecting 
scheme that is secure against basic attacks, is also secure against message substi- 
tution attacks. The lower bound states that the length of a signature produced 
by a substitution detecting scheme must be very large, roughly proportional to 
the size of the message. 

For a discussion about the differences between the memory checker setting 
and the program checking model (which has been introduced by Blum and Kan- 
nan in [BK89]) resp. the software protection model of Goldreich and Ostrovsky 
[G096] we refer the reader to [BEG'*"94]. 



Exact Security. We follow the paradigm presenting our results in terms of ex- 
act security [BKR94,BGR95]. Informally, the notion of exact security can be 
described as follows. Assume that we have an adversary for IncXMACC with 
running time^ t that makes at most q signature queries for messages of length 
at most L and achieves success probability e. Then we derive (in a constructive 
way) a distinguisher D for the underlying function family F with parameters 
t',q',e\ such that D can distinguish F and the family of all functions with run- 
ning time t', making at most q' oracle queries and achieving advantage at least 
e'. Here, t',q',e' are determined by t,q,L,e. 



2 Incremental Cryptography 

We briefly review the definitions of incremental cryptography. This part is mainly 
based on [BGG95]. See this work for further discussion. In section 2.2 we intro- 
duce the notion of message substitution attacks. 



^ To be precise, t describes the running time and the size of the adversary’s algorithm. 
For simplicity, we will only deal with the issue of running time in this paper. 




396 



2.1 Incremental Schemes 

Let S = (Gen, Sig, Vf) be an ordinary (i.e. non'incremental) signature or message 
authentication scheme which allows to sign block messages. That is, on input a 
security parameter s and a block size b in unary, the Gen algorithm outputs in 
probabilistic polynomial time a pair of keys (e, d). For simplicity we assume that 
s and b are recoverable from e or d and that b = poly (s). On input the key d 
and an admissible message M € Z”, where Z = {0, 1}*, the signer Sig outputs a 
signature or message authentication code (MAC) fi in probabilistic polynomial 
time in s (and b). The polynomial time verifier Vf outputs a bit a where o = 1 
stands for “accept” and o = 0 for “reject”. A scheme is called complete, if 
Vf(e, M, Sig(d, M)) = 1 for all keys produced with positive probability by Gen 
and all admissible messages M. We say that a signature ju for M is valid, if 
\/f{e,M,p) — 1. Else it is called invalid. 

To every document we associate a name a € {0, 1}* and a counter cnta- For 
the rest of this paper, we assume that the counter value is bounded above by 2** 
and that the document name has length at most b, so that both values can be 
treated as message blocks, and that all messages M £ E* with 1 <i < poly (s) 
are admissible. Let 7 t(Mi, . . . ,Mm,y) 6 Z* denote the message that is obtained 
by applying text modification tt to messages Mi,.. . , Mm with argument vector 
y. For example, 7 t(M, i,M,) = replace(M, i, M.) for y = (i,Mt) is the message 
where the block in M is replaced by M, e Z. We only present the definition 
for incremental signature schemes. The definition for message authentication 
schemes is similar. 

Definition 1. Let S = (Gen, Sig, Vf ) be a signature scheme and M a set of text 
modifications. An Af-incremental scheme is an interactive machine such that: 

— The machine is initialized with a pair (e, d) of keys produced by Gen on input 
(P,l^). 

— For a create command with arguments a € {0, 1}* and D £ E*, the machine 
initializes a counter cnt^ with 1 and produces a signature Sig(d, D). (The Sig 
algorithm might take as additional input the name a and cnta.) The machine 
stores the document D, the counter cnt„ and the signature with reference 
to name a. If a document for this name already exists, it is replaced by D 
and cnta is incremented instead of initialized before calling Sig. 

— On an edit command for the text modification tt £ M with argument vector 
y and document n6imes ai, . . . ,am and /?, the machine works as follows: 

• The machine increments the counter of document f3. 

• It updates the signature of the document for /3. 

• It replaces the document specified by P by applying modification tt with 
argument vector y to the documents defined by the values Oj. 

The update step is done by applying the incremental algorithm IncSig to the 
documents Zq. and signatures pa; specified by the values a^, the modifica- 
tion TT with argument vector y and the key d.^ The algorithm might take 

^ To be more precise, IncSig is passed a description of tt , where we assume that |At| 
is constant. 




397 



as additional input all the counter values and document names, including (3 
and cnt^. 

The incremental scheme is called complete, if S is complete and for all pairs 
(e, d) of keys which are produced by Gen with positive probability and all valid 
signatures Hq. for , the output of IncSig satisfies 

Vf (e, lncSig(d, . >Da^, ■ ■ ■ i Pctm > 

where the verifier Vf might take 0 and cnt^ as additional input. 

For simplicity, we also write <S = (Gen, Sig, IncSig, Vf) for the incremental 
scheme. S(b, s) denotes the incremental scheme with fixed parameters b and s. 



2.2 Security 

In this section we review the notion of security for incremental signature and 
authentication schemes. Basically, an adversary performs an adaptive chosen 
message attack [GMR88]. So far, all values are stored securely by the interactive 
machine. As done in [BGG95], we augment our model by an alter command that 
takes as arguments a document name a, a document D E E* and a signature fi. 
For an alter command the interactive machine replaces the document with name 
a by D and the signature by /j, regardless of the current values. The counter 
value cnta remains unchanged. 

The alter command models the following settings; Suppose that the docu- 
ments and signatures are kept on an insecure medium like a remote host. Then 
an adversary, e.g. a virus, might change the document before issuing an edit com- 
mand. If the adversary doesn’t use alter commands during his attack, we call 
it a basic attack. If he tampers only documents but no signatures, we call this 
a message substitution attack. This corresponds to the case when the possibly 
short signature is kept on a secure medium. If the adversary changes documents 
and signatures, it is called a (total) substitution attack. 

In substitution attacks, we must associate the signature or authentication 
code to some document. [BGG95] therefore introduce virtual documents. To ev- 
ery document D we define the virtual document virt(Z>) as follows: If the docu- 
ment D was issued by a create command, let virt(£)) = D. If the document was 
obtained by an edit command applying rr with argument vector y to documents 
D[,. . . ,D!^, let virt(Z3) be the document that is obtained by applying tt with 
y to virt(Dj) , virt(D(,j). If the document D was obtained by an alter com- 

mand replacing document D', let virt(i?) = virt(D'). An adversary is successful, 
if he produces a signature or authentication code for a document which hasn’t 
appeared as a virtual document before. We define security in terms of exact 
security; 

Definition 2. Let S(b, s) be an incremental signature or message authentication 
scheme with block size b and security parameter s. A {t,qs,qv,qi,Ls,Lv,Li,t)- 
adversary E makes at most t steps (in a standard RAM model [AHU74]), queries 




398 



Sig, IncSig, Vf at most Qg, qi, q„ times, each query with messages of no more than 
Lg, Li, Ly blocks, and is successful with probability at least e. S{b, s) is said to be 
{t, qg, qv,<li, Lg, Ly,Li, e)-secure against basic/message substitution/total substi- 
tution attacks, iff there is no {t,qg,qy,qi,Lg,Lv,Li,e)-audveTsaxy performing the 
corresponding attack. 

For the rest of this paper, we write (t, q,L,e) for q = and L = 

{Lg,Li, Ly). In some settings, parameters may be irrelevant, for example qy and 
Ly in signature schemes. It this case, it is understood that q and L abbreviate 
and (Lg,Li). 

3 Incremental Message Authentication: IncXMACC 

3.1 Notations and Definitions 

For two strings x,y ^ {0,1}*, let a: • j/ be the concatenation of x and y. For 
x,y ^ (0, 1}", x®y denotes the bitwise exclusive-or of x,y. For a number i € 
{0, . . . ,2*" - 1), let (i)^ denote the m-bit binary representation of i. 

Let Map(X, Y) denote the set of all functions with domain X and range Y. 
A function family F C Map(A, Y) is a set of functions, where we associate a key 
a to each function f € F. Let Fa be the function specified by key a. To draw 
a function / e F at random means to choose at random with equal probability 
a key a from the set of all keys of functions in F and to set / := Fa- For a 
function / from the family Map(J’f,y) the associated key is the sequence of all 
I AT I function values in some fixed order. 

Let F,G C Map(A, Y) be two function families and Z? be a probabilistic 
algorithm. Define the advantage of D distinguishing between F and G as 

AdvD(F,G) = Prob/6F [D^ = l] - Prob^gc [D» = 1] , 

where the probabilities are taken over the random choice of / € F resp. g € G 
and the coin tosses of D. We say that Z? is a (t, q, e)-distinguisher if it makes at 
most t steps (in a standard RAM model), makes at most q oracle queries and 
achieves Adv£)(F,Map(A, T)) > e. We say that the family F is (t, g, e) -secure if 
there exists no (f , g, e)-distinguisher. 

3.2 XOR Schemes 

Bellare, Guerin and Rogaway [BGR95] introduced the XOR MAC schemes, a 
general framework for designing message authentication schemes. Let F be a 
function family with domain {0, 1}^ and range {0, 1}^ and let Fa be a function 
in F according to key a. Given a message M — M[l] ■ • • M[n] and some state 
information, e.g. a counter, an algorithm Tl outputs probabilistically some seed 
r. On input r and M, a deterministic algorithm S produces a set Z C {0, 1}^ 
Both algorithms must not dependend on the key a. The message authentication 
code for M is (r, z), where z = Z^a(a:). The verifier knowing the key a 




399 



works as follows: On input a MAC [r',z') and a message M', it runs £ with 
input r' and M' to obtain a set Z' C {0, 1}' and accepts iff ^a(^) ~ 

Security of such schemes can be reduced to the algebraic problem that an 
associated matrix has full rank. For a set Z C {0, 1}* let the characteristic 2^- 
bit vector be the vector where the a:*’’ entry is 1 iff a: e Z. Assume that the 
underlying function family is Map({0, 1}^ {0, 1}^). Then the probability that 
the verifier accepts one of the queries for a new message is bounded above by 
6 := q„ ■ 2~^ + maxM.r {NFRank,, (M, r)} with 

NFRank,, (M,r) := Prob [Matrix,^ (M,r) hasn’t full rank | M ^ {Mi,... ,Mq.}] 

Here, Matrix,, (M, r) describes the random matrix over GF [2], consisting of the 
g* + 1 characteristic vectors, where the first qg vectors for the signing queries 
axe defined by f’s output for the random messages M, and seeds Rj, and the row 
vector </s + 1 is specified by f ’s output for the possible forgery M and seed r 
in the first verify query. Note that these two values determine the MAC, since 
£ is deterministic. Given an adversary A for such an XOR scheme based on a 
function family F such that A is successful with probability e', one can derive a 
distinguisher for F with comparable running time and advantage e > e' —S. See 
for example [BGR95] or the proof of Theorem 4. 



3.3 The Scheme IncXMACC 

The scheme lncXMACCf’,6 is based on a function family F C Map({0, 1}*, {0, 1}^) 
cind has block size b < I* where 1* = — 1. For notational convenience we as- 

sume that I is even. It supports the operations insert(M, i, M*) and delete(M,j) 
for inserting block M, at position i resp. deleting the j*'*' block in message 
M — M[l] ■ ■ • M[n], where 1 < i < n 1 and 1 < J < n. Therefore, the scheme 
supports other operations like replace(M,i, M*), swap(M,i,j) or move(M,i,j) 
to replace block i by M*, to swap block i and j or to move block i to position 
j, respectively. We sometimes abbreviate delete(M,j) by delete(j) if the corre- 
sponding message Af is clear from the context. Similar for the other operations. 

We will first discuss the single document setting and then show how to pro- 
ceed in the multi document case. In the single document model, the scheme 
holds two counters dent and bent, a document counter resp. a block counter, 
both initialized with 0. For technical reasons, only messages with more than two 
blocks are allowed. In the multi document setting, only message with more than 
four blocks are admissible. In both cases, the counter values are bounded above 
by 2** . The underlying idea is that we link every message block to a unique block 
counter value and incorperate the order of the message blocks by chaining the 
counter values. 

We define the algorithms Sig and IncSig. Assume that the user or adversary 
issues a create command for the document M[l] ■M[n] € 17". Then Sig in- 
crements dent by one and produces the MAC (dent, bent 4-1, .. . ,bcnt -Fn, 2 ), 




400 



where z = (x) with 

Z = {0 • (dcnt)j_j} U {10 • (M[z])j. • (bent +i)^. | i = 1, . . . ,n} 

U {11 • (bent +i)j. ■ (bent +i + l)j. | i = 1, . . . , n — 1 } 

Finally, Sig increments bent by n. On an insert(i,M») command for the current 
document M = A/[l] - • • M[n] and MAC n — {d,ci, . . . , c„, z) for M, the system 
works as follows; IncSig increments the counters dent and bent and outputs a new 
MAC (dent, Cl,... ,Ci_i,bcnt,Cj, . . . ,c„,z') for the document M[l]...M[i — 
1] M, M[i] ■ ■ ■ M[n\, where 

z' = 2 0 Fa(0 • (d)/_i) © Ffl(0 • (dcnt),_j) 

©Fa(10- (M,),. • (bent),.) ©Fa (11 • (ci_i),. ■ (cj),.) 

®Fa(ll • (Ci_i),. • (bent),.) ©Fa (11 • (bent),. • (cj),.) 

That is, the old document counter value of the document is replaced by the new 
one and the new block M. is linked to its block counter value bent. Moreover, 
bent is put in the chain between Cj_i and Cj breaking up the link between Cj_i 
and Cj. For i = 1 (resp. i = n + 1) drop the fourth and fifth (resp. fourth and 
last) function value. 

A delete(i) command for 1 < i < n is processed similarly. Having incremented 
dent, the new MAC for the document M[l] • • • M[i - l]M[i + 1] • • ■ M[n] is given 
by (dent, Cl,... ,Ci_i,Ci+i, . . . ,c„, 2 ') where 

z' = z®Fa(0 • (<i),_i)®Fa(0 • (dcnt),_i) 

®Fa(10- (M[t]),. • (ci),.)®Fa(ll • (Ci_i),. • (ci),.) 

© Fo(ll ■ (Ct)j. • (Cj+i),, ) ® Fa(ll • (Cj_i)j, • (Ci^-i),, ) 

In this case, the system doesn’t increment bent. For i — 1 or i = n adapt the 
last lines as above. 

Finally, we define the verify procedure Vf. Given M = M[l]...Af[n] and 
a MAC (d',c'i,... ,c(,,,z'), check that n' = n and that all values are dif- 
ferent and reject if one of these properties doesn’t hold. Otherwise compute 

Z = {0- (d'),_,} U {10 • (M[j]),. . (c'),. I i = 1, . . . ,n} 

U {11 • (c'),. • (c'+i),. |i = 1,... ,n - 1) 

Reject if z ^ z', otherwise accept. 

Security is proven as in [BGR95]. We first deal with the case F = R — 
Map({0, 1}*, {0, 1}-^) and show an upper bound for the success probability. Due 
to space restriction we skip the rather technical proof. It will be given in the 
final version. 

Theorem 3. Let R = Map({0, 1}‘, {0, 1}^) and 26 + 2 < 1. Let E be a computa- 
tionally unbounded adversary attacking the incremental scheme IncXMACCfl,;, in 
a message substitution attack making at most verify queries. The probability 
that E is successful is bounded above by 6j := ■ 2~^. 




401 



Obviously, this bound is tight. FVom this Theorem we derive: 

Theorem 4. Let F C Map({0, 1}^ {0, 1)^) be a function family with 2b + 2 < 1. 
If F is {f ,q' ,e')- secure then lncXMACCiP,fc is {t,qa,qv,qe,Lg,Ly,e)-secure, where 

t' = t + c{qs + + Qe){L + / + 6), q' = 2q„L„ + 2q,Lg + 6^ei e* = e — • 2 ^ 

for a small constant c € IN depending only on the computational model. 

Proof. (Sketch) Let E be an adversary for IncXMACC with the specified param- 
eters and success probability at least e. From E we construct a distinguisher D 
for F. D is given oracle access to a randomly chosen function g in F resp. R. D 
simulates E and IncXMACC’s program by replacing each function evaluation Fa 
with the oracle values for g and outputs 1 iff F is successful. By Theorem 3, for 
g £ R the adversary E is successful with probability at most • 2“^. Therefore, 

ProbgeF = 1] - ProbjeR [D^ = 1] 

= Prob^g/r [E is successful] — Probggii \E is successful] > e — ?„ ■ 2“^. 

Hence, Z) is a (t', q', e')-distinguisher for F. □ 

We compare IncXMACC and the tree scheme presented in [BGG95]. Our scheme 
is only secure when the MAC is kept on a .secure medium, while the tree scheme 
is secure against total substitution attacks. The tree scheme can be applied with 
any secure signature or authentication scheme, but deleting or inserting a block 
takes n (log n) evaluations of the ordinary signature scheme, where n is the num- 
ber of message blocks of the document. Additionally the tree structure must be 
maintained. Nevertheless, the tree scheme supports the more powerful modifica- 
tions paste and cut. The advantage of our scheme is that it takes only a constant 
number of function evaluations for insert and delete (below we’ll show that this 
holds also for the paste modification), that it merely accesses the corresponding 
message block in update steps, and that the size of the MAC is considerably 
smaller. Namely, let s be the output length of the pseudorandom function used 
by IncXMACC and the output length of the ordinary authentication scheme used 
in the tree scheme. Moreover, assume that both schemes have block size h. If 
the block counter is bounded above by s', then IncXMACC produces MACs for 
messages of n blocks with bit size at most s + c(n -t- 1) log s = O (s -I- n log s) , 
while MACs produced by the tree scheme have size at least (|s + l)n = J? (ns). 

The scheme IncXMACC is provably not secure against (nonadaptive) total 
substitution attacks. The adversary queries Sig for the document ABCD, where 
A,B,C,D are different blocks in {0,1}*. He alters the document to AABC and 
changes the MAC {d,ci,C 2 ,C 3 ,Ci,z) to (d,ci,ci,C 2 ,C 3 ,z). Then he asks IncSig 
to delete the third symbol. Replacing this MAC (d -f l,ci,Ci,C 3 , 2 :') by (d-l- 
l,ci,C 3 ,C 4 ,z'), he obtains a valid MAC for the document ACD, which hasn’t 
appeared as a virtual document. 

We now adress the multi document setting. For every document we associate 
a name a e {0, 1}*. Additionaly, we keep a block counter bcnt^ and a document 




402 



counter dcntc for each document. Signing a document is similar to IncXMACC 
but we use the value 00 • {dcnta)^. ■ instead of 0 • (dcnt)j_^ for the source and 

00 • (dcnt/j+l)j. • (/?),. instead of 0 • (dcnt+l)j_j for the destination. Security 
follows as in Theorem 3 and Theorem 4. 

Theorem 5. Let F C Map({0, 1}*, {0, 1}^) be a function family with 26 + 2 < 1. 
If F is (t' ,q' ,e') -secure then IncXMACCj?,^ is {t,qa,q^,qe,La,Lv,e)-secure in the 
multi document setting with at most I documents, where 

t' = t -h cl(qg + ^^ + qe){L + Z + 6), q' = 2q^L^ + 2qsLg + 6qe, e' = e — q^ ■ 2 ^ 
for a small constant c € IN. 

In the multi document setting, we can allow a paste modification if we use one 
block counter for all documents. The paste command for documents M, M' with 
names ai,a 2 and MACs (d,ci,. . . ,Cn,z), . . . ,c'^,,z') produces the MAC 

(dcnt^ +1, Cl , . . . , c„, c'l , . . . , c^, , i) with 

z = z®z' ®Fa{00 ■ (dcnt^ +1),. • {^),.) ©F„(00 • (d),. ■ (oi),.) 

0i^<,(OO- (dV ■ (Cn),. • 

for the document M ■ M' with name 

4 Memory Checkers 

4.1 Definition 

Let be a data structure with a set of operations that define the behaviour 
of V on an initial configuration. Consider for example the data structure stack. 
The sequence push(a), push(6), pop, push(6), pop for an empty stack produces 
the output — , b, — , 6, where — stands for “no output” . 

We assume that all arguments for the operations are specified by a parameter 
n. To emphasize this dependence we write !?„. We want to design a program C 
that checks whether an implementation D„ of P„ works correctly for a sequence 
of operations for this data structure. We call these operations user or input 
operations. C filters the interaction between the user and the data structure 
resp. memory, so that the user can interact with the data structure only via 
the checker. After having read the next user operation, the program C shall 
return the output of that operation to the user or BUGGY if an error occurs, 
e.g. Z?„ returns a different value than the expected one. Obviously, the worst 
case occurs if the user and the memory is totally under control of one adversary. 
Additionally, the adversary works adaptively, i.e. his next action depends on all 
previous steps. 

To allow multiple instances, we extend every operation by an argument taking 
values between 0 and / — 1 in binary, where I stands for the maximal number of 
instances available. Let be the augmented version of P„. The checker can use 




403 



further instances to save additional information like time stamps to the insecure 
medium. 

An execution is divided into rounds. Each round starts with the checker 
reading the next user operation. Then it performs some local computation and 
may interact arbitrarily with the data structure. After having finished this com- 
putation, the checker shall return the correct answer for the user operation to 
the user (or ” if the operation doesn’t produce an output) before reading the 
next operation. The checker shall output BUGGY if the data structure returns 
a faulty value at some point in the execution. On the other hand, it shall never 
output BUGGY if no error occurs. Before starting the first round, the checker 
might perform a preprocessing, and additionally, after having read the last user 
operation, it might do some “postprocessing” (and perhaps output BUGGY 
then) . 

We use the RAM model to define our checker. The space complexity is mea- 
sured logarithmically, while time complexity can either be uniform or logarith- 
mic. In this work, time will be meassured uniformly. We assume that the ad- 
versary’s model of computation is a RAM, too, and that both RAM share a 
sufficient large number of registers to exchange information, while every other 
memory of each machine is private. See [GMR89,G096] for a more formal treat- 
ment of interactive machines. 

Definition 6. A (tpr«, fpost, fop, s, q, J)-memory checker for a data structure T>^ 
is a probabilistic RAM C such that for every execution with at most q user 
operations, C takes only tpre preprocessing steps, at most fpost postprocessing 
steps and only top steps to process each user operation. Additionally, C’s private 
memory is bounded above by s bits and the checker uses at most J instances 
oiVn- A (tpre , fpost , fop , s, J)-memory checker for is called (f, 5, e)-secure if 
the following holds for every adversary A running in time t: 

— Completeness: If the output of is correct for all operations issued by C, 
then the probability that C returns BUGGY or that not edl answers of C for 
the user operations are correct is at most 6, where the probability is taken 
over the coin tosses of C and A. 

- Soundness: If the output of is false for some operation, then C should 
output BUGGY with probability at least 1 - c. 

In most settings we are interested in checkers for which <5 = 0 holds. These 
checkers are called complete. Definition 6 doesn’t rule out the trivial solution, 
that C simply keeps all values in his private memory. This would rather prevent 
errors and guarantee correct outputs than check the data structure. We are 
interested in checkers using only a few bits private memory and causing a small 
overhead.® So this trivial solution gives us an upper bound and a starting point 
to build more efficient solutions. A checker is called an on-line checker iff it 

® Note that we don’t charge the checker’s running time e.g. for inserting or deleting 
an element using insert and delete commands passed to the implementation (except 
for the time to write the operation and to read the answer). 




404 



outputs BUGGY in that round in which an error occurs. Otherwise it is called 
an off-line checker. A checker is called noninvasive if at the end of each round, the 
insecure memory contains only values specified by the input operations when the 
checker reads the next operation. Otherwise it is called invasive. In particular, 
our checker based on IncXMACC is off-line and noninvasive with the additional 
property that the checker passes only user operations to the implementation. 



4.2 Designing Checkers via Incremental Schemes 

In this section we show how we can derive a memory checker from IncXMACC. 
We prove that we can check any data structure based on the structure Listn, 
where List„ represents a list with elements from {0, 1}". The initial configuration 
is empty. List„ supports four operations: insert(z, v) to insert element v € {0, 1}" 
at position i, delete(t) to remove the element at position i and return this value 
to the user, replace(i, v) to replace the i**" value by v and return this element, 
and read(i) to return the t*** element to the user. 

We can design checkers for other data structures based on List„ like stacks 
and queues. If the checker maintains a counter for the number m of elements 
currently in the list, the stack resp. queue commands pop, push(v), dequeue and 
enqueue(u) are equivalent to delete(m), insert(m+ l,u), delete(l) and insert(m + 
l,u). If the data structure can be implemented with lists, we can combine the 
checker’s program and the list implementation of the data structure to obtain a 
method to securely store the data of this structure on an insecure medium. The 
following notion of a sound scheme will help us to prove stronger security: 

Definition 7. Let S{b,s) = (Gen,Sig, IncSig, Vf) be an Ad -incremental authen- 
tication or signature scheme. S{b, s) is called sound iff for all keys produced with 
positive probability by Gen the following holds: Let M be a message that is ob- 
tained by applying a text modification tt S Ad with argument y to documents 

Ml,... , Mm and let pi , . . . ,Hm and fi = lncSig(Mi , . . . , Mm, Mi Mm, tt, j/) 

the corresponding (valid or invalid) signatures. If Vf (M, m) = 1, then Vf (Mi, Mt) = 
1 holds for alH = 1, . . . , m. 

Informally, a sound scheme is a scheme such that applying IncSig with an 
invalid signature Mi for some Mj doesn’t yield a valid signature for M. Note 
that the soundness property doesn’t guarantee security. It only states that one 
cannot produce a valid signature form invalid signatures directly. It may yet be 
possible to deduce a valid signature from an invalid one. 

Lemma 8. The {delete, insert}-incrementol scheme IncXMACCf,!, is sound. 

The proof is omitted. One can easily verify that the tree scheme is sound, too. 

Theorem 9. Let F be a function family with input length I, output length L 
and key length k. Assume that IncXMACCf,;, is (i,q,L,e) -secure against mes- 
sage substitution attacks for block size b = n. Then there exists a non-invasive 




405 



{tpTe,tpost,top,s,q,I)-off-line checker for which is (t',0,e) -secure where 

tpre = Time(FGen), ipost = ciq ■ Time(F), top = ci • (Time(F) + logg), 

s = C 2 ■ {n + l + qlogq IL + Spax;e(F)) + k, 

t' = t- cs{qtop + tpre + ^post), <li = Q, / = min{g*, g^,}. 

for small constants ci, 02,03 € IN. Here, Time(F) resp. Space(F) denotes the 
time resp. space to evaluate a function from F and Time(FGen) denotes the 
time to draw a key for a function in F. 

A sketch of the proof is given in Appendix A. It is easy to see that we can 
derive an on-line checker for Listn from the tree scheme. Storing the signature 
in the checker’s private memory is too expensive. Hence, we need additional 
instances to store the nodes of the signature tree on the insecure memory. In 
this case, security is provided by the fact that the tree scheme is secure against 
total substitution attacks. However, this checker is invasive and we cannot for 
example efficiently apply this construction to stacks, because in this case we 
cannot access all parts of the signature fast. 

4.3 A Lower Bound for Substitution Detecting Schemes 

First, we define a normal form for adversaries performing attacks on the mes- 
sage substitution detection property. Let S{b,s) = (Gen,Sig, lncSig,Vf) an M- 
incremental (signature or authentication) scheme. We assume that IncSig outputs 
the invalid signature X if, for some reason, it refuses to produce a valid one. An 
attack on the detection property is a message substitution attack, such that each 
IncSig query (oi , . . . , Om, /?, ?r, y) has the following form: 

1. The adversary may replace any message with M*. by alter commands. 
Let M^. , f = 1, . . . , m, be this sequence of messages (where we allow M* . = 
Mai). Additionally, the adversary stores the current content Mff. 

2. The adversary queries IncSig for (ai,... rr,j/). 

3. The adversary replaces all messages with name Oi by Ma,. again. If IncSig 
has returned X, the adversary replaces the document with name P by the 
former value. 

Furthermore, the adversary doesn’t use additional alter commands. It is easy to 
see that every adversary can be assumed w.l.o.g. to be in normal form. Therefore, 
we can associate each alter command uniquely to an IncSig query. If IncSig doesn’t 
return X in step 2, the adversary may either replace Mp again or not. 

For notational convenience, let M[i] = * for the message M[l] M[n] and 
i > n, where * denotes a special symbol * i7. In particular, we have M[i] 

M’[i] for messages M[l] • • • M[n] and M'[l] • ■ ■ M'[n'] with n <i <n'. 

Definition 10 . A (normal form) adversary for the detection property is suc- 
cessful, if IncSig returns in step 2 a signature different from X for a query 
(ai , . . . , am, 0, 7 T, y), such that for the blocks Af [y'/i]) h=\,... ,k, that IncSig 
has read to produce this signature, we have M*.^ [jh] [ja] for some h. 




406 



Note that Definition 10 doesn’t rule out the trivial solution that IncSig always 
outputs J- resp. that IncSig never reads a block. 

Definition 11. Let<S(6, s) = (Gen,Sig, IncSig, Vf) bean Al-incremental scheme. 
A (t, q, L, 5)-adversary for the detection property is specified by the parameters 
in definition 2, where J is the success probability. 5(6, s) is called (t, q, L,(i)- 
detecting, if there exists no (t, q, L, (J)-adversary for the detection property. 

Thus, message substitution detecting schemes can be viewed as on-line checkers. 
To prove that a detecting scheme which is secure against basic attacks, is also 
secure against message substitution attacks, we need the following definition: 

Definition 12. The Al-incremental scheme 5(6, s) = (Gen, Sig, IncSig, Vf) is a 
scheme with p-predictable IncSig-access, iff one can for all (with positive prob- 
ability generated) keys, all messages Ma^ with Mat = Mi[\] ■ ■ ■ Mi[ni\ and sig- 
natures /4a;, i = 1, . . . ,m, predict the message blocks, which IncSig accesses to 
update the signature in response to (ai , . . . , tt, y) in time p(max{ni}) (in 

the corresponding computational model) from /4a,, i = 1, . . . ,m, and 7T,y. 

For simplicity, we have assumed that IncSig’s access is predictable from /4a;, 
7T, y in time p(max{nj}). Extensions to other parameters are straightforward. 
Clearly, the tree scheme is a detecting scheme with predictable IncSig-access. 

Proposition 13. Let S{b,s) = (Gen, Sig, IncSig, Vf) be a (t,q,L, 5) -detecting 
M -incremental scheme with p-predictable IncSig-occess, which is {t, q, L, e) -secure 
against basic attacks. Then 5(6, «) is (t',q,L,e') -secure against message substi- 
tution attacks, where t' = t - qip(Li) and e' = e -hS. 

Proof. (Sketch) Let be a normal form adversary with parameters t, q, L, which 
is successful with probability at least e in a message substitution attack. Prom E 
we construct via black-box-simulation an adversary A performing a basic attack. 

A simulates each query E to Sig and Vf by its oracle access to 5(6, s). If E 
issues an IncSig query without having used an associated alter command in step 
1 of the normal form specification, then A passes this query to IncSig and returns 
the signature to E. Assume, that E tampers messages Ma< to M*. before. Then 
A computes in time p{Li) from /4a;, i = 1, . . . ,m, and 7r,y the message blocks 
^ ,k, which IncSig would read. If M*. [j/,] Mau\jh] for 

some h, A returns J. to E without quering IncSig. Else A passes the query to 
IncSig without tampering the messages and returns the signature to E. In this 
case, the signature does not depend on other (altered or unaltered) blocks and 
the answer is correct. 

As alter commands don’t change virtual documents, every virtual document 
appearing in A’s attack appears in E’s attack as well. Let Detect be the event, 
that E isn’t successful in an attack for the detection property. Furthermore, let 
Succa resp. Succe be the events that A resp. E performs a successful attack on 
the signature scheme. We have 

e' < Prob [Succe] < Prob [Succe | Detect] -f Prob [-> Detect] < Prob [Succa] + <5. 
Hence, A is successful with probability at least e. □ 




407 



We show that we cannot design detecting schemes producing small signatures; 

Proposition 14. Let S{b,s) be a complete (t,q,L, (5) -detecting scheme for t = 
cbn, Qs = 1, gi = n, L, = Li = n, which supports the replace modification such 
that IncSig always accesses the block for valid replace(Ma, », M») commands. 
Then for A := 1 — S > | the bit length of a signature for a message M = 
M[l] ■ • ■ M[n] must be at least 

where /3 = 1 — 2{a - logj e < 1, 7 = < 1 for ^ < a < A. Here, <max is 

the maximal number of blocks IncSig reads for an update step. 

The proof is a variation of the proof given in [BEG"''94] for on-line checkers and 
is omitted. If A and a are close to 1, we have 1 - | and 7 « 1, i.e. a 

signature must have at least - " bits. 

Acknowledgements 

We thank Roger Fischlin for pointing out the topic of memory checkers and 
C.P. Schnorr and the anonymous referees for their comments. We also thank 
Mihir Bellare and Daniele Micciancio for discussions about their works. 



References 

[AHU74] A.Aho, J.Hopcroft, J.Ullman: The Design and Analysis of Computer 
Algorithms, Addison Wesley, 1974. 

[BGG94] M. Bellare, O.Goldreich, S.Goldwasser; Incremental Cryptography: 
The Case of Hashing and Signing, Crypto '94, Lecture Notes in Computer 
Science, Vol. 839, Spring er-Verlag, pp. 216-233, 1994. 

[BGG95] M. Bellare, O.Goldreich, S.Goldwasser: Incremental Cryptography 
and Application to Virus Protection, Proceedings of the 27th Annual ACM 
Symposium on the Theory of Computing, pp. 45-56, 1995. 

[BGR95] M. Bellare, R.Guerin, P.Rogaway: XOR MACs: New Methods for Mes- 
sage Authentication Using Finite Pseudorandom Functions, Crypto '95, 
Lecture Notes in Computer Science, Vol. 963, Springer-Verlag, pp. 15-29, 
extended version available at http://www.es. ucdavis.edu/'rogaway/, 1995. 

[BKR94] M. Bellare, J.Killian, P.Rogaway; On the Security of Cipher Block 
Chaining, Crypto '94, Lecture Notes in Computer Science, Vol. 839, 
pp. 341-358, 1994. 

[BEG+91] M.Blum, W. Evans, P.Gemmell, S.Kannan, M.Naor: Checking the Cor- 
rectness of Memories, Proceedings of the 32nd IEEE Symposium on Foun- 
dations of Computer Science, pp. 90-99, 1991. 

[BEG"''94] M.Blum, W. Evans, P.Gemmell, S.Kannan, M.Naor: Checking the Cor- 
rectness of Memories, Algorithmica, Volume 12, pp. 225-244, 1994. 

[BK89] M.Blum, S.Kannan; Designing Programs that Check Their Work, Pro- 
ceedings of the 21st Annual ACM Symposium on the Theory of Computing, 
pp. 86-97, 1989. 




408 



[GGM86] O.Goldreich, S.Goldwasser, S.Micali: How to Construct Random Pun- 
tions, Journal oj ACM, Vol. 33(4), PP- 792-807, 1986. 

[GMR89] S.Goldwasser, S.Micali, C.Rackoff: The Knowledge Complexity of In- 
teractive Proof Systems, SIAM Journal on Computation, Vol. 18, pp. 186- 
208, 1989. 

[GMR88] S.Goldwasser, S.Micali, R.L.Rivest: A Digital Signature Scheme Se- 
cure Against Adaptive Chosen Message Attacks, SIAM Journal on Compu- 
tation, Vol. 17(2), pp. 281-308, 1988. 

[G096] O.Goldreich, R. Ostrovsky: Software Protection and Simulation on 
Oblivious RAM, Journal of ACM, Vol. 43(3), pp. 431-473, 1996. 

[M97] D.MiccianciO: Oblivious Data Structures: Application to Cryptography, 
(to appear at) Proceedings of the 29th Annual Symposium on the Theory of 
Computing, 1997. 



A Sketch of Proof of Theorem 9 

Clearly, the checker runs the incremental scheme IncXMACC to check the cor- 
rectness. For every instance we’ll have a signature for the content. Updating 
this signature when inserting, deleting, replacing or reading an element will be 
done with the insert, delete commands for the incremental scheme. To prevent 
repetition attacks, we prepend every “message” with a time stamp which the 
checker stores in its local memory, not in the insecure memory. This time stamp 
is updated before processing insert, delete commands. 

If no more operations are left, the checker empties the memory in a postpro- 
cessing phase: For each initialized instance it deletes the values in the instance 
using delete commands and checks that the obtained signatures are accepted by 
Vf. If some signature is not accepted, it outputs BUGGY, otherwise C accepts. 

If all operations work correctly, the checker never outputs BUGGY since 
IncXMACC is complete. Assume that there is a sequence of operations such 
that the checker is fooled. We design a adversary E for IncXMACC. E works as 
follows: Let A be the adversary for the checker. Then E first runs the whole 
execution simulating C and A by black-box-simulation using the oracle access 
for the incremental scheme. Moreover, E maintains the correct memory contents 
and stores all signatures. 

Since E has simulated the whole execution first, he knows the last user op- 
eration for which a wrong value has been returned. E builds a message M that 
consists of the time stamp, the correct memory content (at this point) and re- 
places the corresponding block with the wrong value. E outputs this message M 
and the signature pL for this message as a forgery. As the scheme is sound and the 
checker doesn’t output BUGGY, i.e. the signature for the final value has been 
accepted, this signature // is valid for M. Virtual documents are only changed by 
insert and delete commands, therefore all virtual documents are defined by the 
correct memory content and the counter values. Since there is some error in M, 
and the time stamps make every virtual document unique, M hasn’t appeared 
as a virtual document during the execution. Hence, E is successful if A is. 




Almost fc-wise Independent Sample Spaces and 
Their Cryptologic Applications 



Kaoru Kurosawa^ Thomas Johansson^, Douglas Stinson^ 

' Dept, of Computer Science 
Graduate School of Information Science and Engineering 
Tokyo Institute of Technology 
2-12-1 O-okayama, Meguro-ku, Tokyo 152, Japan 
kurosawa@ss.titech. 2 ic.jp 

^ Dept, of Information Technology, Lund University, 

PO Box 118, S-22100 Lund, Sweden 
thomas@it.lth.se 

^ Dept, of Computer Science and Engineering 
University of Nebraska 
Lincoln NE 68588, USA 
stinson@bibd .unl.edu 



Abstract. An almost fc-wise independent sample space is a small subset 
of m bit sequences in which any k bits are “almost independent” . We 
show that this idea has close relationships with useful cryptologic notions 
such as multiple authentication codes (multiple A-codes), almost strongly 
universal hash families and cilmost k-resilient functions. 

We use almost fc-wise independent sample spaces to construct new effi- 
cient multiple A-codes such that the number of key bits grows linearly 
as a function of fc (here fc is the number of messages to be authenticated 
with a single key) . This improves on the construction of Atici and Stinson 
[2], in which the number of key bits is J2(fc^). 

We also introduce the concept of e-almost fc-resilient functions and give 
a construction that has parameters superior to fc-resilient functions. 
Finally, new bounds (necessary conditions) are derived for almost fc-wise 
independent sample spaces, multiple A-codes and balanced e-almost fc- 
resilient functions. 



1 Introduction 

An almost k-wise independent sample space is a probability space on m-bit se- 
quences such that any fc bits axe almost independent. A e-biased sample space is 
a space in which any (boolean) linear combination of the m bits has the value 1 
with probability close to 1/2. These notions were introduced by Naor and Naor 
[17] and further studied in [1] due to their applications to algorithms and com- 
plexity theory. However, there are also cryptographic applications: Krawczyk 
applied e-biased sample spaces to the construction of authentication codes [13]. 

In this paper, we investigate several new relationships between almost fc- 
wise independent sample spaces and useful cryptologic notions such as multiple 



W. Fumy (Ed.): Advances in Cryptology - EUROCRYPT ’97, LNCS 1233, pp. 409-421, 1997. 
© Springer-Verlag Berlin Heidelberg 1997 




410 



authentication codes (multiple j4-codes) [2] and fc-resilient functions [10, 3, 11, 
24, 4], 

In a multiple ^4-code, k >2 messages are authenticated with the same key. (In 
“usual” j4-codes, just one message is authenticated with a given key.) Recently, 
Atici and Stinson [2] defined some new classes of almost strongly universal hash 
families which allowed the construction of multiple A-codes. Here, we prove that 
almost fc-wise independent sample spaces are equivalent to multiple A-codes. 
This allows us to obtain a more efficient construction of multiple A-codes from 
the almost fc-wise independent sample spaces of [1]. 

Next, we present a lower bound on the size of the keyspace in a multiple 
A-code. Numerical examples show that the multiple A-codes we construct are 
quite close to this bound. Further, from the above equivalence, a lower bound on 
the size of almost fc-wise independent sample spaces is obtained for free. (While 
a lower bound on the size of e-biased sample spaces was given in [1], no lower 
bound was known for the size of almost A:-wise independent sample spaces.) 

Finally, we generalize the idea of resilient functions. A function : {0, 1}*” 

{0, 1}‘ is called k-resilient if every possible output f-tuple is equally likely to occur 
when the values of k arbitrary inputs are fixed by an opponent and the remaining 
m — k input bits are chosen at random. This is a useful tool for achieving key 
renewal; an m-bit secret key (xi, • • • ,x„) can be renewed to a new Z-bit secret 
key 4>{xi , • • ■ , Xm) about which an opponent has no information if the opponent 
knows at most k bits of (xi , • • • , Xm)- 

We show that k can be made larger if the definition of resilient function is 
slightly relaxed. Thus, we define an e-almost i-resilient function as a function 
4> such that every possible output Z-tuple is almost equally likely to occur when 
the values of k arbitrary inputs are fixed by an opponent. (The statistical differ- 
ence between the output distribution of a fc-resilient function and an e-almost 
fc-resilient function is e.) We prove that a large set of almost fc-wise independent 
sample spaces is equivalent to a balanced e-almost fc-resilient function, general- 
izing a result of [24]. From this equivalence, we are able to obtain both efficient 
constructions and bounds for balanced e-almost fc-resilient functions. 



2 Almost fc-wise independent sample spaces 

Let Sm C {0, 1}”", and let A" = xj • • • Xm be chosen uniformly from Sm- 

Definition!. [1] We say that Sm is an (e,k) -independent sample space if for 
any fc positions ii < i 2 < ■ ■ ■ < ik and any fc-bit string a, we have 

|Pr[xiiXi 2 •••Xj^ = q] - 2~*| < e. (1) 

If e = 0, then Sm is equivalent to an orthogonal array OA^(fc,m,2), where 

A = |5„|/2*=. 

The following efficient construction for (e, fc)-independent sample spaces is 
proved in [Ij. 




411 



Proposition 2. There exists an {e, k) -independent sample space Sm such that 

log 2 ISml = 2 (log 2 logj m - log 2 C + log 2 k - 1). 

In this section, we prove that almost A:- wise independent sample spaces are 
equivalent to multiple authentication codes (more precisely, almost strongly 
universal-A: hash families, as defined in [2]). This allows us to obtain more efficient 
multiple ^-codes than were previously known. 

2.1 Multiple A-codes and ASU-k hash families 

We briefly review basic concepts of (multiple) authentication codes. In the usual 
Simmons model of authentication codes (A-codes) [21, 22], there are three par- 
ticipants, a transmitter, a receiver and an opponent. In an A-code without secrecy, 
the transmitter sends a message (s, a) to the receiver, where s is a source state 
(plaintext) and a is an authenticator. The authenticator is computed as a — e(s), 
where e is a secret key shared between the transmitter and the receiver. The key 
e is chosen according to a specified probability distribution. 

In a multiple A-code, we suppose that an opponent observes i >2 messages 
which are sent using the same key. Then the opponent places a new bogus 
message {s', a') into the channel, where s' is distinct from the i source states 
already sent. This attack is called a spoofing attack of order i. Pd- denotes the 
success probability of a spoofing attack of order i, see [15]. 

Almost strongly universal hash families are a very useful way of constructing 
practical A-codes. This idea was introduced by Wegman and Carter [26], and 
further developed and refined in papers such as [23, 5, 13, 12]. Atici and Stinson 
[2] generalized the definitions so that they could be applied to multiple A-codes. 
We review these definitions now. 

Definition 3. An (iV;m,n) hash family is a set F of A functions such that 
f : A B for each f E F, where |A| = m, \B\ = n and m > n. 

Definition 4. An (N-,rn,n) hash family F of functions from A to B is e almost 
strongly universal-k (or e-ASU {N]m,n,k)) provided that, for all distinct ele- 
ments xi,X 2 , - ■ ■ ,Xk € A, and for all (not necessary distinct) yi,y 2 , - ■ ■ ,yk € : 

we have 



[{/ e F : f(xi) = yi, 1 < i < k}\ < € X \{f € F : f{xi) = yi,l < i < k - 1}|. 

The following result gives the connection between e-ASU {N\m,n,k) hash 
families and multiple A-codes. 



Propositions. [2] There exists an A-code without secrecy for m source states, 
having n authenticators and N equiprohahle authentication rules and such that 
Pdk-i £ Cj */ only if there exists an e-ASU {N;m,n,k) hash family F. 




412 



2.2 Equivalence of hash families and sample spaces 

We can can rephrase Definition 1 in terms of hash families, and generalize it to 
the non-binary case, as follows. 

Definition 6. An (iV;m,n) hash family F of functions from A to B is {e,k)- 
independent if for all distinct elements xi,X 2 , - ■ ■ ,Xk E A, and for all (not nec- 
essary distinct) yi,y 2 , - ■ ■ ,Vk ^ B, we have 

I = Viyl < i < k) - < e, (2) 

where f £ F is chosen uniformly at random. 

The following results are straightforward. 

Proposition 7. An (e, k) -independent sample space Sm is equivalent to an {e, k)- 
independent (15^1; m, 2) hash family. 

Propositions. If there exists an {e, k) -independent sample space S^, then there 
exists an {e,k ft) -independent (lSm|;m/t,2‘) hash family. 

Now we show the equivalence of (e, fc)-independent sample spaces and almost 
strongly universal-A: hash families. 

Theorem 9. If F is an (e,k) -independent (N;m,n) hash family, then F is a 
6-ASU {N\ m, n, k) hash family, where 

S = 

n{n~^ — e) 

Proof, Suppose that Eq. (2) holds. Then for any 2 /i, • ■ • , 1 /*: € B, we have 

Pr[/(a;i) = j/i, 1 < i < fc] > n”'*' — e, 

^ Pr[/(a:i) = j/i, 1 < i < A:] > ^ (n"* - e), and 

Vk£B 

Pr[/(a;j) = j/i, 1 < i < A; - 1] > n(n~* - e). 

From the above inequality and Eq. (2), we have 

Pr[/(xt) = yj,l <i < k] ^ -f e 
Pr[/(xj) = j/i, 1 < i < A; - 1] ~ n(n“*= - e) ‘ 

Let 5 = (n~* + e)/(n(n~* — e)). Then 



\{f E F : f{xi) — Vi,! < i < k}\ < 6 X \{f e F : f{xi) = yi,l < i < k - 1}|. 
Hence, F is a iJ-ASU {N; m, n, k) hash family. □ 




413 



Definition 10. An {N; m, n) hash family F of functions from A to B is strongly 
[e,k) -independent if for any t such that 1 < t < k and for all distinct elements 
xi,X 2 ,- " and for all (not necessary distinct) j/i , 1 / 2 , • ' ' > 2/t £ B,we have 

\PT{f{xi) = yi,l<i<t)-n~~^\<e (3) 

where / € F is chosen uniformly at random. 

Theorem 11. If an (AT; m, n) hash family F is strongly (e, k) -independent, then 
F is a 5-ASU (N-,m,n,k) hash family, where 5 = (n“* + — e). 

Proof. The proof is similar to the proof of Theorem 9. □ 

Lemma 12. [2] Suppose that a hash family F of functions from A to B is e-ASU 
{N-,m,n,k). Then for for all l<j<k, for all distinct elements xi,X 2 , ■ ■ ■ ,Xj € 
A, and for all (not necessary distinct) j/ 1 , 1 / 2 , ■ ■ - ,Vj ^ B, we have 

lifeF: f{xi) =Vi,\<i< j}| <e^xN (4) 

Lemma 13. [2] If a hash family F is e-ASU (N;m,n,k), then t > 1/n. 

Theorem 14. If a hash family F is e-ASU {N;m, n, k), then F is {S, k)-indepen- 
dent, where 6 = {n^ — l)(e*^ — n~^). 

Proof. Prom Lemma 12, we have 

Pr[/(a:i) = j/i, 1 < i < fc] < e* and (5) 

Pr[/(a:i) — yi,l < i < k] — < e* — n~^. (6) 

On the other hand, from eq.(5), we have 

PT[f{xi) = Viyl < i < k] < [n'^ - l)e''. 

{yi,--,Vk)=^(yi,-,yk) 

Therefore, we have 

Pr[f{xi) = yi,l <i < k] = I - ^ Pr[f(xi)=yi,l<i<k] 

(yi,-,yk)^(vt,-,yk) 

> 1 - (n* - l)e*. 

Hence, 

Pr[/(xj) = Pi, 1 < i < k] — n~^ > 1 — (n*' — l)e* — 

= 1 - e^n'' +e^ - n~'‘ 

= -(n* - l)(e* - n-*). 

FVom Lemma 13, we see that e* - > 0. Hence, 

-(n* - l)(e* - n“'=) < Pr[/(a:i) = i/i,l < i < k] - n~'‘ < e'‘ - 
Then the family is (5, A:)-independent, where 

5 = max{|e'= - n-% | - (n* - l)(e* - n-*)|} = (n* - l)(e* - n-*>) 

□ 




414 



2.3 New multiple A-codes 

By combining Propositions 2 and 8 with Theorem 9 or Theorem 11, we can 
obtain new multiple A-codes (ASU-fc hash families) from an (e, fc)-independent 
sample space. Since the (e, A:) -independent sample spaces from [1] mentioned in 
Proposition 2 can be shown to be strong, we will apply Theorem 11. 

Theorem 15. There exists a S-ASU {N;m,n,k) hash family where 

\ 0 g 2 N = 2(log2log2(mlog2n)-l-fclog2n-log2(nd-l)+log2(/clog2n)-l). (7) 



Proof. Define I = k log 2 n, u = m log 2 n, and 

--*(dn- 1) 



e = 



6 + 1 



n *(dn — 1). 



Apply Proposition 2 and 8, constructing a strongly (e, A:)-independent {N, m, n) 
hash family, where log 2 N = 2(log2 log 2 n— log 2 c-flog 2 l — l). Now apply Theorem 
11, to obtain a 5-ASU {N;m,n,k) hash family. We compute log 2 W as 

log 2 N = 2(log2 log 2 (m log 2 n) - log2(n"*((5n - 1)) + log 2 (A; logj n) - 1) 

= 2(log2 log 2 (mlog 2 n) -I- A: log 2 n - log2(<5n - 1) -t- log 2 (A:log 2 n) - 1). 



□ 



3 A lower bound 



In this section, we present a lower bound on the size of ASU-A; hash families and 
almost A:- wise independent sample spaces. 



Theorem 16. If there exists an e-ASU{N\m,n,k) hash family such that 



€* < 1/n, 



( 8 ) 



then 




Proof. Suppose F is an e-ASU{N;m,n,k) hash family from A to B, where 
|A| = 771, |i?| = n and k >2. Construct an x mn binary matrix G — {gij), 



with rows indexed by the functions in F and columns indexed hy Ax B, defined 
by the rule 



f 1 if f(x) = 

1 0 if fix) y 



Interpret the columns of G as incidence vectors of the A^-set F. We obtain a 
set-system {F,C = {C^.y : x ^ A,y E B}), where 



Cx,y = {/ € F : fix) = y} 




415 



for all a; e A, j/ € B. Let 

t = [e*iVj + 1. (9) 

This set-system satisfies the following properties: (A) \F\ — N, (B) \C\ = mn, 
(C) Sc€C 1^1 = (^) there does not exist a subset of t points that occurs 

as a subset of k different blocks (see Lemma 12) . 

Property (D) says that (F,C) is a t-packing of index X = k — 1 (i.e., no 
f-subset of points occurs in more than A blocks) . Hence we obtain the following: 

Property (C) implies that the average block size is Nm/mn = N/n. Define a 
real- valued function f{x) as 




0 if a: < t 

a:(a: — 1) ... (a; — f + 1) otherwise. 



Since f{x) is convex, we have 

mn\t ) ~ mn \ t ) t\ 



( 11 ) 



from Jensen’s inequality. We observe that iV/n > < - 1 follows from Eq. (8) and 
Eq. (9). Then, we obtain 



(k-l) 



N{N -t + 1) 



> mn, 



( 12 ) 



and hence 



(fc-1) 



N-t + 1 
^-t + 1 



> mn. 



(13) 



From Eq. (9), we have t < e^N -I- 1. Then Eq. (13) can be simplified as follows. 



(k 



(e*7V+l)log 



from which our bound is obtained. 



(x^) 



> mn, and hence 



> log 



mn 



k-lj ’ 



□ 



Corollary 17. Suppose Sm is an (e,k) -independent sample space. Denote S = 
(2-* -he)/(2(2-'' -e)). If < 1/2, then 








Proof. This follows from Theorem 9. 



□ 




416 



3.1 Some numerical examples of multiple A-codes 

We give some numerical examples to compare the multiple A-codes constructed 
by Atici and Stinson in [2], our new multiple A-codes obtained from Theorem 15, 
and the lower bound of Theorem 16. Suppose we want an authentication code 
for m = 2^ source states with deception probability S = 2~^°. We tabulate the 
number of key bits (i.e., log 2 N) for k = 3,4, 10. Note that we take n = 2/(5 = 2"^^ 
in Theorem 15 and Theorem 16 (whereas in [2], n > 2/S). 



k 


[2] 


Theorem 15 


Lower bound 


3 


657 


518 


243 


4 


1043 


602 


283 


10 


5376 


1096 


523 



A counter-based multiple authentication scheme would (of course) require less 
key bits than the proposed construction. For example, tabulated values from 
[2] show that the construction from [5] would for the parameters above and 
k = 4 require 447 key bits. Hence, the 602 — 447 = 155 additional key bits 
we use can be thought of as the price payed for having a stateless multiple 
authentication scheme. An interesting property that can be verified through 
Theorem 15 is the following. When fc oo, the number of key bits required per 
message approaches log 2 n, which is the same as for the counter-based multiple 
authentication scheme. 

4 Almost resilient functions 

In what follows, let m > / > 1 be integers and let (/> : {0, 1}”* — > {0, 1}^ 

Definition 18. <f> is called an (m, I, k) -resilient function if 

Pr[(f>(xi,...,Xm) = \ - = a] = 2“' 

for any k positions I'l < • ■ • < ik, for any A:-bit string a and for any {yi, ■ ■ ■ ,yi) € 
{0, 1}^ where the values Xj {j 0 {ii, ...,**}) are chosen independently at ran- 
dom. 

Resilient functions have been studied in several papers, e.g., [10, 3, 11, 24, 4]. 
We now introduce a generalization, which we call e-almost resilient functions, in 
which the the output distribution may deviate from the uniform distribution by 
a small amount e. 

Definition 19. We say that is an e-almost {m, I, k)-resilient function if 

|Pr[(/)(a;i, . . .,Xm) = (yi, ■ ■ ■ ,yi) I -Xi,, = a] - 2~‘\ < e 

for any k positions ii < ■■ ■ < for any fe-bit string q and for any {y\, - ■ ■ ,yi) € 
{0,1}^ where the values Xj {j 0 {fi, . . . , tfc}) cire chosen independently at ran- 
dom. 




417 



4.1 Relation with (e, fc)-independent sample space 

It is well-known that a resilient function is equivalent to a large set of orthogonal 
arrays [24]. Here we prove a similar result for almost resilient functions that 
involves A;- wise independent sample spaces. 

Definition 20. A large set of -independent sample spaces, denoted 

LS{e, k, m, f), is a set of 2'”-* (e, k,ni, t)-independent sample spaces, each of size 
2*, such that their union contains all 2*” binary vectors of length m. 

Theorem 21. If there exists an LS{e, k, m, t), then there exists a S-almost {m, m— 
t,k) -resilient function, where 5 — 6/2"““*“*^. 

Proof. There are 2™“* (e, fc)-independent sample spaces in the set. Name the 
(e, fc)-independent sample spaces C-,, 7 6 {0,1}"*“^ Then define a function 
4 > : {0, 1}*" {0, l}™-‘ by the rule 



.,Xm) = 7 if and only if (xi,. . .,Xm) G Cy. 

For any k positions ii < ■ • - < i*,, any fc-bit string a and any 7 e {0, 1}”*“*, let 

~0!, (Xi,...,X 7 Ti) ^ ^7} 1 ■ 

Then 

Pr[<^(xi,...,x,„) = 7I XijXjj •••X 4 = a] = (14) 

From Definition 1, we have 

2-* -€<^<2-* -he. (15) 

Hence, from (14) and (15), we obtain 

|Pr[<6(xi,...,x,„) = 7 I Xi,Xi^ ■ ■ ■ Xi,, = a] - 



□ 

Definition 22. The function <j> : {0, 1}'" {0, 1}' is called balanced if we have 

Pr[(j6(xi,...,x„) = (j/i,...,j/()] = 2“' 
for all (i/i, • ■ ■ ,yj) G {0, 1}'. 

For balanced functions, we can prove the converse of Theorem 21. 

Theorem 23. If there exists a balanced e-almost {m, I, k)-resilient function, 4>, 
then there exists an LS{6, k,m,m — 1), where 6 = c/2*~^ 




418 



Proof. For 7 € {0, 1}^ let 

C-y = {{xi,...,Xm) ■<i>{xi,...,Xm) = 7}- 

Since <j> is balanced, \C.y\ = If each Cy is an (e, A;)-independent sample 

space, then we automatically get a large set. For any k positions ii < ■ ■ ■ < ik, 
for any fc-bit string a for and any 7 e {0, 1}', let 

L — * ‘ * — ri, (^1 , . . . , Xm ) ^ ^7 } I ■ 

Then, within the sample space Cy, we have 

Pr[a:i,a;i, • • ■ Xi, = a] |^ = (16) 

From Definition 19, we get 

2~‘ -f< < 2-' + 6. (17) 

— ^rn—k ~ ^ ' 

Hence, from (16) and (17), we obtain 

|Pr(xi,Xi, =a)- 2"'=| < 

□ 

4.2 Constructions of €-almost resilient functions 

Definition 24. An (e, A:)-independent sample space Sm is t-systematic if |5m| = 
2*, and there exist t positions ii < • • • < it such that each t-bit string occurs in 
these positions for exactly one m-tuple in Sm- 

A t-systematic (e, fc)-independent sample space can be transformed into an LS{e, k, m, t) 
by using the same technique as [25, Theorem 3]. We have the following result. 

Theorem 25. If there exists a t-systematic (e, k) -independent sample space Sm, 
then there exists a balanced S-almost (m,m — t.,k) -resilient function, where 5 = 

Due to space limitations, we will present only a very brief summary of our 
construction for t-systematic (e, A:)-independent sample spaces. Our approach is 
similar to [12] (see also [18]), and depends on the Weil-Carlitz-Uchiyama bound. 
In what follows, let Tr denote the trace function from GF(2*) to GF{2). 

Proposition 26 Weil-Carlitz-Uchiyama bound. [9] Let f{x) = ^ 

GF{2^)[x] be a polynomial that is not expressible in the form f{x) = g{x)‘^ — 
g(x) -f- 8 for any polynomial g{x) 6 GF{2*){x] and for any 6 £ 7^2* • Then 

aeGF(2‘) 



<{D- l)v^. 




419 



Definition 27. A polynomial h{x) G GF{2‘')[x] is a {2^ , D) -polynomial if h has 
degree at most D and Oj = 0 for all even i, where h = Define 

if( 2 *, D, fc) to be a set of ( 2 * , D)-polynomials such that any k polynomials in the 
set are independent over GF{2). 

For hi^,hi 2 , . ■ . , G H{2^,D,k) and for any k elements oi, •• • , 0 * G GF{2), 
define 

N., a, {hi, ,...,hi,) = \{xe GF(2‘) : Tr{hi, (x)) = m , • ■ ■ , Tr{hi, (x)) = a, } | . 

Lemma 28. [12] , . . . , hij - 2‘-*| < (D - l)v^. 

Proof. The proof is an application of Proposition 26. The case fc = 2 can be 
found in [ 12 ] and the general case is proved similarly. □ 

Theorem 29. Suppose that S is a primitive element ofGF{2*), and H{2*,D,k) 
is chosen such that {x, /3x, /3^x, . . . ,/3*“’^x} C H{2*- ,D,k). There exists a t- 
systematic {e,k) -independent sample space Sm where m = \H{2^,D,k)\ and 

€ = {D- 1)/V¥. 

Proof. Let H (2‘, D, k) = {hi , • • • , hm}- Construct a sample space Sm as follows: 
A binary string X-, = xiX 2 • ■ -x^ G Sm is specified by any 7 G GF{2^), where 
the ith bit of X.y is Xi = Tr{hi{'y)). The proof that Sm is (e, fc)-independent 
follows from Lemma 28. Further, Sm can be shown to be systematic using the 
fact that {x,/3x,/3^x, . . . ,/3‘“^x} C H{2^,D,k) (the proof will be given in the 
final paper). □ 

4.3 An Application 

In our approach, using Theorem 29, we need to construct a set of polynomials 
H{2*,D,k) such that any k of them are linearly independent over GF{2). For 
this we can use linear error-correcting codes (see [14]). For a fixed (odd) degree 
D, we can express each polynomial as a hnear combination of polynomials in 
the set 



(x,^x,...,^‘ ^x,x^,/?x^, . . . ^x^,...,x^,/3x^,...,/9* ^x^}. 

Indexing the polynomials in H{2*,D,k) as hi,h 2 , ■ . . ,hm we obtain a binary 
tD' X m matrix, where D' = {D -h l)/2, which is a parity check matrix of an 
[m,l,d\ error correcting code in which m — I = tD' and d = fc -I- 1. Conversely, 
given such a code, we obtain a t-systematic sample space, and hence a balanced 
e-almost (m,m — f,fc)-resilient function, as follows. 

Theorem 30. Suppose D = 2D' — 1 and there is a [m,m — tD',k + 1] code. 
Then there exists a balanced e-almost (m,m — t, k)-resilient function such that 

_ {D - i)V¥ 




420 



A suitable value of e would be 2 We obtain the following corollary 

of Theorem 30 by taking D = 3 and k = (t/2) — 2. 

Corollary 31. Suppose there is an [m, m — 4A; — 8,A:+1] code. Then there exists 
a balanced -almost {m, m — — 4, k)-resilient function. 

As a typical example, suppose we take m = 160 and fc — 18. A [160, 80, 23] 
code is known to exist see ([6]), so we obtain a baJanced 2~^^^-almost (160, 120, 18)- 
resilient function. 

Let’s compare the above result to the best-known (160, 120, A:)-resilient func- 
tion. The most important construction method for resilient functions [3, 10] uses 
linear error-correcting codes, as follows: Let f? be a generator matrix for an 
[m,l,d\ linear code. Define a function / : (GF(2))"‘ (GF(2))^ by the rule 

f(x) = xG^. Then / is an (m,l,d — 1) linear resilient function. The maximum 
d for which a [160, 120, d] code is known to exist is d = 12 (see [6]). Hence, 
the maximum k for which we can construct a (160, 120, fc)-resilient function is 
k = 11. 

5 Comments 

The techniques of this paper can also be used to construct “almost” versions of 
other cryptographic tools. These include correlation-immune functions (see, for 
example, [19, 8, 7]) and locally random pseudo-random number generators (see 
[20, 16, 18]). Details will be given in the full version of the paper. 

References 

1. N. Alon, O. Goldreich, J. Hastad, and R. Peralta. Simple constructions of almost 
fc-wise independent rcindom variables. Random Structures and Algorithms 3 (1992), 
289-304. 

2. M. Atici and D. R. Stinson. Universal hashing and multiple authentication. Lecture 
Notes in Computer Science 1109 (1996), 16-30 (CRYPTO ’96). 

3. C. H. Bennett, G. Brassard, and J.-M. Robert. Privacy amplification by public 
discussion. SIAM Journal on Computing 17 (1988), 210-229. 

4. J. Bierbrauer, K. Gopalakrishnan and D. R. Stinson. Bounds for resilient functions 
and orthogonal arrays. Lecture Notes in Computer Science 839 (1994), 247-257 
(CRYPTO ’94). 

5. J. Bierbrauer, T. Johansson, G. Kabatianskii and B. Smeets. On families of hash 
functions via geometric codes and concatenation. Lecture Notes in Computer Sci- 
ence 773 (1994), 331 342 (CRYPTO ’93). 

6. A. E. Brouwer. Bounds on the minimum distance of binary linear codes, 
http : / / WWW . win . tue . nl/win/math/dw/ voorlincod . html 

7. P. Camion and A. Canteaut. Generalization of SiegenthaJer inequality and Schnorr- 
Vaudenay multipermutations. Lecture Notes in Computer Science 1109 (1996), 
372-386 (CRYPTO ’96). 

8. P. Camion, C. Carlet, P. Charpin and N. Sendrier. On correlation-immune func- 
tions. Lecture Notes in Computer Science 576 (1992), 86-100 (CRYPTO ’91). 




421 



9. L. Carlitz cind S. Uchiyama. Bounds on exponential sums. Duke Math. Journal, 
(1957), 37-41. 

10. B. Chor, O. Goldreich, J. Hastad, J. Friedman, S Rudich and R. Smolensky. The 
bit extraction problem or <-resilient functions. 26th IEEE symposium on Founda- 
tions of Computer Science, pages 396-407, 1985. 

11. J. Friedman. On the bit extraction problem. 33rd IEEE symposium on Foundations 
of Computer Science, pages 314-319, 1992. 

12. T. Helleseth and T. Johansson. Universal hash functions from exponential sums 
over finite fields and Galois rings. Lecture Notes m Computer Science 1109 (1996), 
31-44 (CRYPTO ’96). 

13. H. Krawczyk. New hash functions for message authentication. Lecture Notes in 
Computer Science 921 (1995), 301-310 (EUROCRYPT ’95). 

14. F. J. MacWilliams and N. J. A. Sloane. The Theory of Error- Correcting Codes. 
North-Holland, 1977. 

15. J. L. Massey. Cryptography - A selective survey. Digital Communications, North- 
Holland (1986), 3-21. 

16. U. M. Maurer and J. L. Massey. Perfect local randomness in pseudo-random se- 
quences. Lecture Notes in Computer Science 435 (1990), 100-112 (CRYPTO ’89). 

17. J. Naor and M. Naor. Small bias probability spaces: efficient constructions and 
applications. SIAM Journal on Computing 22 (1993), 838-856. 

18. H. Niederreiter and C. P. Schnorr. Local randomness in polynomial random num- 
ber and random function generators. SIAM Journal on Computing 22 (1993), 684- 
694. 

19. T. Siegenthaler. Correlation-immunity of nonlinear combining functions for cryp- 
tographic applications. IEEE Trans. Inform. Theory 30 (1984), 776-780. 

20. C. P. Schnorr. On the construction of random number generators and random func- 
tion generators. Lecture Notes in Computer Science 330 (1988), 225-232 (EURO- 
CRYPT ’88). 

21. G.J. Simmons. A game theory model of digital message authentication. Congressus 
Numeratium 34 (1982), 413-424. 

22. G.J. Simmons. Authentication theory/coding theory, Lecture Notes in Computer 
Science. 196 (1985), 411-431 (CRYPTO ’84). 

23. D. R. Stinson. Universal hashing and authentication codes. Lecture Notes in Com- 
puter Science 576 (1992), 74-85 (CRYPTO ’91). 

24. D. R. Stinson. Resilient functions and large set of orthogonal arrays. Congressus 
Numerantium 92 (1993), 105-110. 

25. D .R. Stinson and J. L. Massey, An infinite class of counterexamples to a conjecture 
concerning nonlinear resilient functions. Journal of Cryptology 8 (1995), 167-173. 

26. M. N. Wegman and J. L. Carter. New hash functions and their use in authentication 
and set equality. Journal of Computer and System Sciences 22 (1981), 265-279. 




More Correlation-Immune and Resilient 
Functions over Galois Fields and Galois Rings 



Claude Carlet 

GREYC, Universite de Caen 
and 

INRIA Projet Codes 
Domaine de Voluceau, BP lOS 
78153 Le Chesnay Cedex 
FRANCE 

email; Claude.Carlet@inria.fr 



Abstract. We show that the usual constructions of bent functions, 
when they are suitably modified, allow constructions of correlation-immune 
and resilient functions over Galois fields and, in some cases, over Galois 
rings. 



1 Introduction 

The functions used in a conventional cipher must provide both diffusion, for 
merging several inputs, and confusion, for hiding any structure (cf. [19]). These 
notions are respectively formalized through the properties of correlation-immunity 
[2, 3, 4, 5, 20, 22] and nonlinearity [15, 16]. 

Correlation-immune functions play an important role in several aspects of 
cryptography such as, for instance, the design of running- key generators in 
stream ciphers which resist the correlation attack [20] or the design of hash 
functions (cf. [21]). The most general definition (cf. [3]) defines them over fi- 
nite alphabets (the original definition was given in [20] for binary functions): let 
.4 be a finite alphabet; a function / from A" to A™' is t-th order correlation- 
immune if the probability distribution of the output vector f{Xi , . . . , X„), where 
Xi,. . . ,Xn are random input variables assuming values from A with indepen- 
dent equiprobable distributions, is unaltered when at most t of the variables 
Xi, . . . ,Xfi are fixed (i.e. replaced by constants). 

In [22], Xiao Guo-Zhen and J. L. Massey give a convenient characterization of 
binary correlation-immune functions by means of characters. It is generalized in 
[3] by Camion and Canteaut to finite abelian groups. Recall that the group of 
characters on a finite abelian group G is isomorphic with G itself. For x, u G G, 
we denote by {x, u) the image of x under the character associated to u via such 
an isomorphism. We have: 

(a:, u) / 0 ^ M = 0. (1) 

x^G 



W. Fumy (Ed.); Advances in Cryptology - EUROCRYPT ’97, LNCS 1233, pp. 422-433, 1997. 
© Springer-Verlag Berlin Heidelberg 1997 




423 



Such an isomorphism being chosen, the characters on the group G" (n > 0) are: 

n 

{X,u)n = , X=={xi,.. .,Xn), U = {ui , . . . , Un) ■ 

i=l 

A function / from G” to G™ is t-th order correlation-immune if: 

Vu € G“, Vm e G", 1 < Wfl-(u) < t, {x,u)n(f(x),v)m = 0 (2) 

xeG" 

where wh{u) denotes the Hamming weight of u. 

According to property (1), the equality in (2) is satisfied for every u 0 if u = 0. 
Thus, V may be assumed to be nonzero in (2). 

/ is f-resilient if it is t-th order correlation-immune and balanced. It is a simple 
matter to show that, thanks to the characterization above, this is equivalent to: 

Vu G G™, u 0, Vu e G", w//(u) < t, ^ (r, u)„(/(r),u)m = 0. (3) 

xeG" 

In [4] is given a bound on the degree relative to each variable of the algebraic 
normal form of a t-th order correlation-immune (resp. t-resilient) function over 
a finite field: in each monomial, at most n — t (resp. n — t — 1, provided q"* y^ 2 
or t y^ n - m) of the variables have (maximum) degree q - 1. 

This bound, that generalizes Siegenthaler inequality [20], shows that the func- 
tions over finite fields are better suited than binary ones to achieve high linear 
complexity, given the order of their correlation-immunity. 

The bent functions [5, 6, 7, 9, 11, 13, 15, 17] are those Boolean functions 
whose nonlinearity is maximum. The notion has been first defined for Boolean 
functions over GF{2Y (cf. [17], recall that n must then be even) and later 
generalized to functions over residue class rings (cf. [13]); let q and n be any 
positive integers; we denote by Z, the ring XjqTi. A function / from Z," to Z, 
is called bent if, for any vector s, the character sum: 

XgZ," 

has magnitude q?, where Wg = The function / is called regular-bent if 

there exists a function f such that, for any s: 

Y, =q^ 

X^Zjg" 

There exists also a generalization of the notion to functions over finite fields (cf. 
[1]), that is not equivalent for prime fields. These definitions can be extended 
to definitions of (regular-) bent functions over a Galois ring GjR(p*,m) (whose 




424 



definition is recalled in subsection 2.1): the character sums to be considered in 
this wider framework are: 



ic ,m)” 

where Tr is the trace function from GR{j^,m) to Zpk. 

These notions of correlation-immune and bent functions are very similar. The 
purpose of this paper is to show that various constructions of bent functions, 
when they are suitably modified, lead to constructions of correlation-immune 
functions. Some of these constructions will be primary, in the sense that they 
lead to new classes of correlation-immune functions without using known ones. 
Others, on the contrary, will be secondary constructions. 



2 Primary constructions 

2.1 A Maiorana-McFarland-like class 

Maiorana-McFarland class (cf. [11]) is the set of all the (bent) Boolean functions 
on GjF(2)” = {{x,y),x,y € GF(2) t } (n even) of the form : f(x,y) = x ■ 7r(y) -I- 
g(y) where tt is any permutation on GF(2)t and g is any Boolean function on 
GF(2)f. 

In [5] is derived a construction of binary resilient functions: 
let t and n = r -t- s be any positive integers (r > t > 0, s > 0), 5 any boolean 
function on GF{2y and (f> a mapping from GF(2Y to GF{2Y such that every 
element in cf>(GF{2Y) has Hamming weight greater than t, then the function: 

fix, y)=x- cPiy) + g{y), x € GF(2)^ y £ GF(2)* 



is t-resilient. 

We generalize this construction to any Galois ring in theorem 1. Before we state 
this theorem, we recall what are the definition and major properties of Gcdois 
rings. 

For any prime p and any positive integers k and m, the Galois ring GR{p'‘ , m) 
is the Galois extension of degree m of the ring Zpk. When m = 1, GR{p'‘,m) is 
equal to Zpk and when fc = 1, it is equal to the Galois field GF{p^). We refer 
to [14] for a general presentation of this notion and to [12] for the special case 
p = fc = 2. 

Galois rings share with Galois fields almost all their properties. 

• Their elements can be described in two different forms by means of a primitive 
element (, of order p”*: 

- the ’’multiplicative” form (this term comes from field theory): 

k 

X = Ui G {0,1,^, 

i=l 




425 



- the ’’additive” form: 

m — 1 

X = ^ drCj dr £ Zpk. 

r=0 

. They admit a Probenius automorphism; 

k k 

1=1 1=1 

and a trace map from GR{p ^ , m) to Zp* ; 

Tr : X — > X + ^p{x) + . . . + (x), 

where is m — 1 times the composition of ip by itself. 

The difference between Galois fields and general Galois rings is obviously that 
every nonzero element of GR{p’‘,m) is not necessarily a unit; the units of 
GR{p^ ,Tn) are the elements; 

k 

Ui e {1,^,...,^’’’"-^}, U2,...,Uk 6 {0, 1,^, 

1=1 

Their number is • (p"^ - 1) = |Gi?(p*,m)l • 

We denote again by x • p the expression: 

n 

Y^Xj-yj, X = (xi,...,x„) € Gfl(p*,Tn)’", y = (pi,...,Pn) € Gil(p*’,m)". 
j=i 

The characters on GR{p‘^ ,m)'^ are the functions: x — » {x,y)n = 
where Wpk = . 

The construction given in [5] could be extended to general finite rings. In the 
case of Galois rings, it is easy to state: 

Theorem 1. Let G be any Galois ring, t and n = r + s any positive integers 
(r > t > 0, s > 0), g any function from to G and <p a mapping from G‘ to 
G’’ such that any element in 4>{G^) has more than t coordinates that are units, 
then the function: 



f{x, y) = x- (f>{y) + g{y), x G G”, y £ G* 



is a t-resilient function on G". 



Proof : 

For any nonzero element n of G and any element {u, u') of G" (n G G”, u' G G*), 
we have: 

Y (^>‘^)r{v,u')s{f{x,y),v) ^ 




426 



yj ^Tr[v[x-^{y)+g{y)]+z u+y u') _ 

xeG^,y^G‘ 



E E 

yGG» \ Xx^G’- 



Wr 



Tr{x [u<t>(y)+u]) j ^ ^Tr(vg{y)+y-u') 



The sum: 



y~^ yj^^Tr{x [v^(y)+u]) 



leG’’ 



is equal to 0, unless v(j){y) + u = 0, according to property (1). Therefore: 



y€G’ I u<^(y) + u=0 

If we assume that {u, u') has Hamming weight at most t, then u, whose Ham- 
ming weight is a fortiori at most t, cannot be equal to —v (/>( 2 /): according to the 
hypothesis on <j>, v 4>{y) has more than t nonzero coordinates. Thus, the sum 
53 (x,ix)r(i/,u')a(/(a:, 3 /),'u) is equal to zero. / is t-resilient. □ 

x€G’-,yeG’ 

Example: if G is a Galois field and (p{y) = {<pi (y), 4>r{y)) is such that; 

. the sets Ei = {y e \ 4>i{y) = 0), i — I, . ■ . ,r are disjoint each others; 

. a monomial in the algebraic normal form of one of the functions (fi has maxi- 
mum degree q — l relative to each variable; 

then f(xi'^~'^,...,Xr'‘~‘^,yi_,...,ya) is (r — 2)-resilient (according to theorem 1 
and to [3], prop. 9) and almost reaches the bound on the degrees recalled in the 
introduction. 



2.2 A Partial-Spreads-like class 

In [1 1] is also introduced the class of bent functions called VSap (a subclass of 
Partial-Spreads class), whose elements are defined the following way: 

GF(2)v is identified to the Galois field GF(2v); VSap is the set of all the 
functions of the form f{x,y) = g(xy^~'^) (i.e. g(^) with | = 0 if x = 0 
or ^ = 0) where g is a balanced Boolean function on GF(2)t. We have then 
f(x,y) = 5(f)- 

The idea of this construction may be used to obtain a construction of correlation- 
immune functions. We give this construction in its most general form (involving 
a Galois field GF{q) where q is any prime power). 

In the next theorem, we identify a power F”* of a Galois field F = GF(q) 
to the Galois field GF(q'^). Such an identification is done the following way: 
we choose a basis (ai, . . . ,am) of the F-vector space GF{q^) and we identify 
X = (xi, . . . ,Xm) ^ F"“ to ^ GF{q”‘). We know that a dot product 

on F™ is, via this identification Trm{xy), where Trm is the trace map from 




427 



GF{q^) to GF{q). But the notion of correlation-immune function depends on 
the choice of the dot product on So, we assume that the basis (oi , . . . , a„) 
is self-dual (it is always possible to find such a basis when q is even or m is odd), 
so that: 

m 

Trm{xy) = 'Y^Xiyi = X y. 

i=l 

Notice that if we do not have a self-dual basis, we still have, for any basis, 
x-y = Trmiaxy), a £ 

We will use a well-known fact about linear mappings: let </> be a linear mapping 
from GF{q^) to GF{q”^), there exists a linear mapping (f>* (called adjoint of 
from GF(q’'") to GF{q^) such that, for every x £ GF{q'^) and every y £ GF{q^): 

Trm{x4>{y)) =Trn{<t>*{x)y). 

We state theorem 2 in the case we have self-dual basis in GF{q™-) and GF(q^). 
It can be easily generalized to any case. 

Theorem 2. Let T = GF{q) (q = p“) be a finite field and tr the trace function 
from T to its prime field GF(p). Let n and m be two positive integers (n, m odd 
if q is odd), g a function from GF{q'^) to F, (f> a linear mapping from GF{q^) 
to GF{q^) and a an element of GF{q”^) such that a + (f{y) 0, Vy € GF{q^). 

Let f he the function from F"^ x F'^ to F defined by: 

where b £ GF(q^) and where x, y are viewed as elements of GF{q”^), GF{q'^) 
respectively. 

Assume that, for every z in GF{q^) and every v ^ 0 in F, (j)*{z) + vb has weight 
greater than t, then f is t-resilient. 

Proof : 

We have, for any {u,u') in F^ x F'^ and any nonzero v in F: 

X; (u,x),n(n',y)n{v,fix,y))= ^ ^^tr[u:W-y+v fix,y)] ^ 

^^^i'’[rr„(ux)+Tr„(u'y)+U9(^:ff^)+wTr„(6y)] 

x€GF{q^),yeGF{q’') 

Since, for every y, a + (j>{y) ^ 0, the element z = a.+^(y) ranges over the whole 
field GF{q^) when x does. We deduce: 



(m, x)m{n', y)n{v, f{x, y))r - 



E 



\Trm{.u(az+zij>{y)))+Trj,(u' y)+v g(z))+v Tr.„{b y)] _ 



zeGF{q"^),yeGF{q’') 




428 



H '"P 

z€GF{qm)^y(zGF{q 



^ tr[Trm(-uaz)+Tr„{y[<(>’'[uz)}+u' + v b])+v g{z)j _ 



E 



W, 



tr\Trrrx (uaz)-^v g{z.)\ 



zeGF{q^) 



,l^^tr[Tr,,{y[4,'‘(uz)) + u' + vb])] j _ 

y€GF(,") / 



E 



w. 



tr[Trm{uaz)i-v g(z)\ 



z^GF(q^) I ^•(u2:))+tt'+t; 6=0 

according to property (1). 

If W{{{u,u') < t, then according to the hypothesis on cp*, the set 
{z e GF{q^) I (j>*{uz)) + u' +vb = 0} 
is empty, and this sum is equal to 0. Thus, / is f-resilient. 



□ 



Example: Let E be an Jf'-subspacc of of maximum weight n — t — 1 and ip 
a linear mapping from to E. Let /> be a word of weight n in Then the 
condition of theorem 2 is satisfied hy (j> = provided that a does not belong 
to the image of ■0* (which is always possible if n < m). 



3 Secondary constructions 

3.1 Modifying a correlation-immune function on a subgroup 

Dillon proves in [11] that if a binary function / is bent on GF(2)" {n even) and 
if F is a ^-dimensional flat on which / is constant, then, denoting by 6e the 
indicator of E, the function f +6 e is bent too. 

We shall prove a similar result on correlation-immune functions. 

Theorem 3. Let G he any finite abelian group, t, m and n any positive integers 
and f a t-th order correlation- immune function from G" to G"* . 

Assume there exists a subgroup E of G", whose minimum nonzero weight is 
greater than t and such that the restriction of f to the orthogonal of E (i.e. the 
subgroup of G^ : E-^ = {u 6 G”|Va; G E, {u,x)n — 1}) is constant. Then f 
remains t-th order correlation-immune if we change its constant value on E-^ 
into any other one. 

Proof : 

Let a be the constant value of / on E-^ and 6 any element of G”*. Set f'{x) = f{x) 
if X ^ E^, f'{x) = b if X € E^. 

For any nonzero element v of G™ and any element u of G", we have: 

xeG" 

E {^^'^)n{f{x),v)m + ^ {x,u)n{b,v)m - ^ (x, u)„(a, u)m- 

x€G^ x^B-^ x^E-^ 




429 



If u is nonzero and if its weight is at most equal to t, then: 



^ ^ ^ ^ 



xGG” 






The sum: {a;, tt)„ is equal to 0, since u does not belong to E. □ 

xeE^ 



3.2 Adapting a secondary construction known for bent functions 

It is known, cf. [11, 17], that if 5, h, k and g + h + k are bent on GF( 2 )'^ (m 
even), then the function defined on any element {xi,X2,x) of GF(2)'"+^ by: 

f{xi,X 2 ,x) = 

g{x)h(x) + g{x)k{x) 4- h(x)k{x) + [5(3;) + + [(7(2;) + k{x)]x2 +a;ia;2 

is bent. 



Theorem 4. Let g, h and k be three functions from GF{ 2 )'^ to GF{ 2 ). If g is 
t-resilient, h and k are (t — l)-resilient and g + h + k is {t — 2 ) -resilient, then 
the function on 

f{xi,X 2 ,x) = 

g{x)h{x) + g{x)k{x) + h{x)k{x) + [^(a:) + fi(a;)]a:i + [p(x) + fc(x)]x2 + X1X2 
is t-resilient (the converse is true). 



Proof : 
We have: 



jy(xi,i2,a:)+aixi+a2i2 + ax _ 

xuX2€GF{2),x€GF(2)”' xi ,X2 6GF(2),x6Gf’{2)™ 

^_j^^g(x)+[xi+9(x) + fc(x) + a2][i2+9{x)+/i(x)+ai|+ai[(((x)+fc(x)]+a2[9{x)+A(x)]+ai02 + a-x 



Changing Xi into X\ + g{x) + fc(x) + 02 and X2 into X2 + g{x) + h{x) + ai, we 
obtain: 



^_]^j9(x)+xix2+ai[9(x)+fc(i)] + 02[9(x)+h(x)l+ax+aia2 

xi,X2eGf{2),igGf(2)"> 

that is equal to: 

2 ^_]^^s{a:)+ai[9(*)+*(i)]+a2[s(3:)+/i{l)j + a-x+ai02 

xeGF{2)"> 



Assume that the word (01,02, a) has Hamming weight at most t. Then if oi = 
02 = 0, we obtain: 



2 






xeGF(2)”* 




430 



that is equal to zero, according to the hypothesis and since a has Hamming 
weight at most t. If ai = 0 and a 2 — \ (resp. ai = 1 and a 2 =0), we obtain: 
2 ^ (resp. 2 ^ that is also equal to zero, 

xeGF(2)'^ i60F(2)"‘ 

since a has Hamming weight at most t — 1. If ai = aj = 1, we obtain: 

_2 ^_jj9(a;)+/i(*) + fc(a:)+ax 

xeGF(2)>" 

that is equal to zero too, since a has Hamming weight at most t — 2. 

The converse is similar. □ 

Example: This result may be applied to functions g, h and k chosen in Maiorana- 
McFarland-like class (over GF{2)): g{x,y) = x ■ (p{y) + gi{y), h{x,y) = x-<j>'{y) + 
hi{y), k{x,y) = x ■ 4>"{y) + ki{y), where any element of (f>{G‘) (resp. <p'{G‘), 
(f)''{G^], {(^ + 4>' + ^"){G^)) has more than t (resp. t — 1, t — 1, t — 2) nonzero 
coordinates. 

Remark : It is possible to extend this result to general finite fields, but the hy- 
pothesis becomes hard to satisfy. 



3.3 Constructing correlation-immune functions from bent functions 

The construction of bent functions that is recalled in the previous subsection is 
generalized in [8]: 

Let m and r be two positive even integers. Let / be a Boolean function on 
GF{2)^'^^ such that, for any element x’ of GF{2Y , the function on GE(2)™: 

fx' ■ X ^ f{x,x') 

is bent. Then / is bent if and only if for any element u of GF(2)”“, the function 

(p„ : a;' /a,'(u) 

is bent on GF{2Y {f^' always exists: every bent function on GF{2) in even 
dimension is regular-bent). This result generalizes to functions / over Z,'""’”'’ (as 
stated in [8]) such that for every x' , the function f^' is regular-bent. 

It leads us to a construction of resilient functions from regular-bent functions: 



Theorem 5. Let r be a positive integer, m a positive even integer and p a prime. 
Let f be a function from (GF(p))’"+’' to GF{p) such that, for any element x' of 
{GF{p)Y , the function on (GfIp))"^: 

fx' -.X fix, x') 



is regular-bent. 

If, for every element u of (GF(p))*” of Hamming weight at most t, the function 

tPu -x'-* fx'i'x) 

is ft — wh{u)) -resilient, then f is t-resilient (the converse is true). 




431 



Proof : 

For every nonzero v in GF{p), and every («,«') in GF(p)™+’', we have: 

{u,x)m{u',x')r{vj{x,x')) = 

(x,x')eGF(p)'"+’’ 



E 



w. 



vf^i {x)-\-U‘X-\-u' -x' 



{x,x')£GF{p)^+^ 

fx' being regular-bent, we have: 



( 4 ) 



wp Vn e GF(p)’". (5) 

xeGF(p)”' 

Let us first prove that, for every nonzero v in GF{p): 

Y Vu G GF{p)^ : 

xGGF(p)’" 

let Cp be the cyclotomic field generated by Wp over the rationnals, i.e. 

Cp — Q(mp), 

we know (cf. [18], see also [13]) that its Galois group is the abelian group each 
element cr of which raises Wp to the n-th power, n G {1, . . . ,p- 1} (every element 
of Q being invariant under a). Say a = <Xp. 

From equality (5) and since p^ € Q, we deduce: 



E 



^x6GF(p)- 



thus: 



and therefore: 



E 



W- 



w, 



fit' (x) + u-x 



^ a 









x6Gf (p)" 



Y = p^ wp^'f-'i-^). 

xeGF(p)'" 

From equalities (4) and (6), we deduce: 

Y (u,x),n{u',x')r{v,f{x,x')) = 

(x,x')eGF(p)"'+’’ 

p^ Y = 

x'eGFipy 

p 2 ^ wp^ ’ 

x'eGF(p)’- 



( 6 ) 




432 



This completes the proof, since W}j (— ^) = wu{u) and since wh{u,u') < t im- 
plies wh{u) < t and wh{u') <t — wh{u). The converse is similar. □ 

Example; taking f^' in Partial Spreads class and ipu in Partial Spreads-like class, 
we obtain that the function f{x,y,x',y') = k{^, + Trn{by'), where for 

every x' , the function x — ► k{x,x') is balanced, for every y' , a + <j){y') / 0, and 
for every 2: and every v ^0, 0*(z) -I- u ft has weight greater than t, is t-resilient. 

Remark : Theorem 5 could be generalized to functions f{x, x') over a more general 
Galois field GF{q) such that, for every x' G GF{qY and every nonzero v € 
GF{q): 

. the function fx',v '■ ^ vf{x,x') is regular-bent, 

‘ fx' “ rj fx' ,1 • 

References 

1. A.S. Ambrosimov. Properties of bent functions of q-valued logic over finite fields. 
Discrete Math. Appl. vol 4, N° 4, pages 341-350 (1994) 

2. J. Bierbrauer, K. Gopalakrishnan and D.R. Stinson. Bounds for resilient functions 
and orthogonal arrays. Advances in Cryptology, CRYPTO’94, Lecture Notes in 
Computer Sciences, Springer Verlag n° 839, pages 247-256 (1994) 

3. P. Camion and A. Canteaut. Construction of t-resilient functions over a finite 
zdphabet, Advances in Cryptology, EUROCRYPT’96, Lecture Notes in Computer 
Sciences, Springer Verlag n° 1070, pages 283-293 (1996) 

4. P, Camion and A. Canteaut. Generalization of Siegenthaler inequality and 
Schnorr-Vaudenay multipermutations. In N. Koblitz, editor, Advances in Cryp- 
tology - CRYPTO’96, number 1109 in Lecture Notes in Computer Science, pages 
372-386 Springer- Verlag, 1996. 

5. P. Camion, C. Carlet, P. Charpin and N. Sendrier. On correlation-immune func- 
tions. Advances in Cryptology, CRYPTO’91, Lecture Notes in Computer Sciences, 
Springer Verlag n° 576, pages 86-100 (1992) 

6. C. Carlet. Two new classes of bent functions. EUROCRYPT’ 93, Advances in 
Cryptology, Lecture Notes in Computer Science 765, pages 77-101 (1994) 

7. C. Carlet, Generalized Partial Spreads, IEEE Transactions on Information Theory 
vol 41 pages 1482-1487 (1995) 

8. C. Carlet. A construction of bent functions. Finite Fields and Applications, London 
Mathematical Society, Lecture Series 233, Cambridge University Press, pages 47-58 
(1996) 

9. C. Carlet and P. Guillot. A characterization of binary bent functions. Journal of 
Combinatorial Theory, Series A, Vol. 76, No. 2 pages 328-335 (1996) 

10. C. Carlet, Hyperbent functions. PRAGOCRYPT’97, Czech Technical University 
Publishing House, pages 145-155 (1996). 

11. J. F. Dillon. Elementary Hadamard Difference sets. Ph. D. Thesis, Univ. of Mary- 
land (1974). 

12. A. R. Hammons Jr., P. V. Kumar, A. R. Calderbank, N. J. A. Sloane and P. 
Sole. The ^4-linearity of Kerdock, Preparata, Goethals and related codes. IEEE 
Transactions on Information Theory, vol 40, pages 301-320, (1994) 




433 



13. P. V. Kumar, R.A. Scholtz and L.R. Welch. Generalized bent functions and their 
properties. Journal of Combinatorial Theory, Series A 40, pages 90-107 (1985) 

14. B.R. MacDonald. Finite rings with identity. Marcel Dekker, NY, 1974 

15. W. Meier and O. Staffelbach. Nonlinearity Criteria for Cryptographic Functions. 
Advances in Cryptology, EUROCRYPT’ 89, Lecture Notes in Computer Science 
434, pages 549-562, Springer Verlag (1990) 

16. K. Nyberg. Perfect non-linear S-boxes. Advances in Cryptology, EUROCRYPT’ 
91, Lecture Notes in Computer Science 547, pages 378-386, Springer Verlag (1992) 

17. O. S. Rothaus. On bent functions. J. Comb. Theory, 20A, pages 300- 305(1976) 

18. P. Samuel. Algebraic Theory of Numbers. Boston, Houghton Mifflin, 1970 

19. C. E. Shannon. Communication theory of secrecy systems, in Bell system technical 
journal, vol. 28, pages 656-715 (1949) 

20. T. Siegenthaler. Correlation-Immunity of Nonlinear Combining Functions for Cryp- 
tographic Applications. IEEE TVans. on Inf. Theory, vol IT-30, n° 5, pages 776-780 
(1984) 

21. C.P. Schnorr and S. Vaudenay. Black box cryptanalysis of hash networks based on 
multipermutations. Advances in Cryptology, EUROCRYPT’ 94, Lecture Notes in 
Computer Science 950, pages 47-57, Springer Verlag (1995) 

22. Xiao Guo-Zhen and J. L. Massey. A Spectral Characterization of Correlation- 
Immune Combining Functions. IEEE Trans. Inf. Theory, Vol IT 34, n° 3, pages 
569-571 (1988). 




Design of SAC/PC(/) of Order k Boolean 
Functions and Three Other Cryptographic Criteria 



Kaoru Kurosawa* and Takashi Satoh 

* Dept, ot Computer Science, 

Graduate School of Information Science and Engineering, 

Tokyo Institute of Technology 

^ Dept, of Physical Electronics, Faculty of Engineering, Tokyo Institute of Technology 
2-12-1 O-okayama, Meguro-ku, Tokyo 152, Japan 
kurosawa(9ss . titech .ac.jp, tsatoQss . titech.ac . jp 



Abstract. A Boolean function / satisfies PC(/) of order k if /(i) © 
f{x®a) is balanced for any a such that 1 < W[a) < I even if any k 
input bits are kept constant, where VP(cr) denotes the Hamming weight 
of a. This paper shows the first design method of such functions which 
provides deg(/) > 3. More than that, we show how to design “balanced” 
such functions. High nonlinearity and large degree are also obtcdned. 
Further, we present balanced SAC(A:) functions which achieve the maxi- 
mum degree. Finally, we extend our technique to vector output Boolean 
functions. 



1 Introduction 

The security of block ciphers is often studied by viewing their S-boxes (or F 
functions) as a set of Boolean functions. SAC [15] and PC(I) [11] are important 
cryptographic criteria of such Boolean functions. Let W (a) denote the Hamming 
weight of a € {0, l}". For a Boolean function f(x) — f(xi, . . . , x„), define 

^ = /(x) © f(x ® a) . 



f{x) is said to satisfy 

— SAC if Df/Da is balanced for any a such that W{(x) = 1. 

— SAC(fc) if any function obtained from / by keeping any k input bits constant 
satisfies SAC. 

— PC(I) if DfjDa is balanced for any a such that 1 < W{a) < 1. 

— PC(f) of order k if any function obtained from / by keeping any k input bits 
constant satisfies PC(Z). 

* This author was supported by the Telecommunications Advancement Foundation, 
Japan. 



W. Fumy (Ed.): Advances in Cryptology - EUROCRYPT ’97, LNCS 1233, pp. 434-449, 1997. 
© Springer-Verlag Berlin Heidelberg 1997 




435 



Well known bent functions satisfy both SAC and PC(/) for all 1 < n, but not 
necessarily SAC(fc) nor PC(f) of order fc for A; > 1. 

On the other hand, balancedness, algebraic degree and nonlinearity are an- 
other important cryptographic criteria. 

— Let deg(/) denote the degree of the highest degree term in the algebraic nor- 
mal form of /. Then deg(/) must be large. Actually, Jacobsen and Knudsen 
showed an attack against block ciphers with small deg(/) recently [2]. 

— The nonlinearity of a Boolean function /, denoted by A^(/), is defined as the 
minimum distance of / from the set of affine functions. 

N{f)= min |{a: | /(r) / oq ©aiaci © • ■ • © a„x„}| . 

an,...,a„ 

N{f) must be large to avoid the linear attack [7]. 

— Preneel et al. showed a balanced SAC(n — 2) function for n =odd [11]. 
Lloyd [5] showed a condition such that SAC(n - 3) functions are balanced. 
Balanced SAC functions with high nonlinearity were constructed by [14]. 
Recently, other balanced SAC functions were given by [16]. 

However, 

(1) No general methods are known which design Boolean functions satisfying 
PC{1) of order k except deg(/) = 2. (For deg(/) = 2, see [11,12].) 

(2) Balanced SAC(fc) functions are not known for 1 < fc < n — 4. 

(3) Balanced functions satisfying PC(Z) of order k are not known for any I > 2 
and any k. 

This paper shows a design method of PC(f) of order k functions. The pro- 
posed method is the first design method which provides deg(/) > 3. We construct 
/ as 



f{xi,...,Xs,yi,...,yt) = [a;i,.-.,a;,,](5[yi,...,T/(]^®.g(a:i,...,Xs) , (1) 

where Q is an s x < binary matrix and g{xi, . . . ,Xg) is any function. Then / 
satisfies PC(Z) of order fc if <5 satisfies the following conditions. 

— W (Q 71 ) > A; 1 for any f X 1 vector 71 such that 1 < W( 7 i) < 1. 

— W{pf 2 Q) > A: -I- 1 for any 1 x .s vector 72 such that 1 < W( 72 ) < 1. 

Such a matrix Q is obtained by the product of two generator matrices of error 
correcting codes. Further, it is shown that balanced / can be obtained by choos- 
ing g appropriately in ( 1 ). We can also obtain large degree and high nonlinearity 
such that 



— deg(/) s/2 and N(f) > 2*"*'® ^ — 2*"*‘*/^ ^ for s =even. 

— deg(/) = (s — l)/2 and N{f) > for s =odd. 




436 



The above N{f) is almost the maocimum if t is small. (The deg(/) and N{f) for 
SAC(fc) are obtained by substituting t = k + I and s = n — fc — 1.) 

Next, SAC{k) functions with the maximum deg(/) are obtained for k < 
n/2 — 1. This shows that an upper bound on deg(/) of SAC(fc) functions given 
by Preneel et al. [11] is tight. Further, balanced SAC(fc) functions with the same 
maximum degree are presented for n — A; — 1 = odd. This means that the bound 
of [11] is tight even for balanced SAC(fc) functions iffc<n/2— 1 and n — k—l = 
odd. It will be a further work to find a tight upper bound on deg(/) of balanced 
SAC(fc) functions for n — k — I = even. 

Finally, we extend our technique to vector output Boolean functions. Vector 
output PC(2) of order 2'’“^ — 1 functions and vector output SAC(fc) functions 
are obtained which also possess high nonlinearity and large degree. 



2 Preliminaries 

f{xi , . . . ,Xn) denotes a mapping from {0, 1}" to {0, 1}. For a binary string a, 
W (a) denotes the Hamming weight of a. We use square brackets to denote 
vectors like [oi , . . . , a„] and round brackets to denote functions like f{xi, . . . ,x„). 



2.1 Balance and Algebraic Degree 

We say that f{x) is bcdanced if 

]{x I /(x) = 0}| = |{x I /(x) = 1}| = 2"“^ , 
where x = [xi, . . . , x„]. 

Definition 1. We call /(x) = c © aixi 0 • • • 0 a„x„ an affine function. 

Proposition 2. A non-constant affine function is balanced. 

Propositions. [14} /{xi., ... ,Xg) ® g{yi, ... ,yt) is balanced if f is balance.d or 
g is balanced. 

The following form is called the algebraic normal form of f. 

n 

/(xi,...,x„) =Oo© © OiXj © 0 aijXiXj © ■ ■ • © ai2...nXlX2 ...Xn . 

i=l l<t<j<n 



deg(/) denotes the degree of the highest degree term in the algebraic normal 
form of /. 




437 



2.2 Bent Function and Nonlinearity 
Bent functions are defined as follows. 

Definition 4. [13] f{xi, . . . ,Xn) is a bent function if 

huj„i„ 

X 

for any [wi,...,w„] G {0, 1}". 

Define a distance between two Boolean functions f{x) and g{x) as 

d{f,g) = |{a; I f{x) ^ (/(r)}] . 

Definition 5. [10] The nonlinearity of a Boolean function f, denoted by N{f), 
is defined cis 

N{f)= min d(/(a;), Oq 0 airi © ■ ■ ■ © a„a:„) . 

ao,...,a„ 

N{f) is the distance of / from the set of affine functions and it should be 
large to avoid the linear attack. It is known that each bent function has the 
maximum N{f). 

Proposition 6. [8, 13] N{f) < 2"-^ - 

Proposition 7. [8, 13] The equality of Proposition 6 is satisfied if and only if f 
is a bent function. 

2.3 SAC and SAC(fe) 

/ satisfies SAC if complementing any single input bit changes the output bit 
with probability a half. 

Definition 8. [l, 15] 

(1) f{xi , ,Xn) satisfies SAC (the strict avalanche criterion) if f(x) © /(x©a) 
is balanced for any a € {0, 1}" such that VT(q) = 1. 

(2) f(x) satisfies SAC(fc) if any function obtained from f(x) by keeping any k 
input bits constant satisfies SAC. We say that / is an SAC(fc) function if 
f(x) satisfies SAC(fc). 

Proposition 9. [1] There exist no SAC(n — 1) functions. 

Proposition 10. [11] 

(1) If f(xi, . . . ,Xn) satisfies SAC(n — 2), then deg(f)=2. 

(2) If f(xi , . . . , In) satisfies SAC(k) for 0 < k < n — 3, then 

deg(/) < n - fc - 1 . (3) 

Preneel et al. showed a design method of SAC(fc) functions for deg(/) = 2. 

Proposition 11. [11] Suppose that deg(/) = 2 and n > 2. Then, f satisfies 
SAC(k) if and only if every variable Xi occurs in at least fc + 1 second order 
terms of the algebraic normal form, where 0 < fc < n — 2. 





438 



2.4 PC(/) and PC(/) of Order k 

f satisfies PC(Z) if complementing any I or less input bits changes the output 
bit with probability a half. 

Definition 12. [11] 

(1) f{xi, , Xn) satisfies PC(?) if f{x)®f{x®a) is balanced for any a £ {0, 1}" 
such that 1 < W{a) < 1. 

(2) f{x) satisfies PC(/) of order k if any function obtained from f{x) by keeping 
any k input bits constant satisfies PC{1). We say that / is a PC(Z) of order 
k function if f{x) satisfies PC(/) of order k. 

It is well known that / satisfies PC(n) if and only if / is a bent function [11]. 
Bent functions, however, do not necessarily satisfy PC(I) of order k. 

PC(n) functions, therefore bent functions, exist only for n =even from (2). 
Preneel et al. [12] showed the following functions which have deg(/) = 2. 

Proposition 13. There exists a PC{n — 1) of order 1 function for n =odd. 

Proposition 14. f 11] Let 

Sn{xi,...,Xn) = 0 XiXj . 

l<i<j<n 

Then satisfies PC{1) of order k if l + k<n — I or if I + k = n and I is even. 
Further, 

(1) Sn is the only function which satisfies PC{1) of order n — 2 (or SAC{n — 2)). 

(2) Sn is the only function which satisfies PC{2) of order n — 2. 

(3) Sn is balanced if n =odd. 

Proposition 15. 

(1) There exists a balanced SAC{n — 2) function if n =odd. 

(2) There exist no balanced SAC{n — 2) functions if n —even 

Proof. 

(1) From (1) and (3) of Proposition 14. 

(2) From line 4 of p.l71 of [11] and (1) of Proposition 14, a SAC(n — 2) function 
is a bent function if n =even. Further, bent functions cannot be balanced 
[13]. 

□ 

3 How to Design PC(Z) of Order k Functions 

This section shows the first design method of PC(/) of order k functions which 
provides deg(/) > 3. (For deg(/) = 2, see Sect. 2.4.) The proposed method is 
also a design method of SAC(fc) functions since SAC(fc) is equivalent to PC(1) 
of order k. 




439 



3.1 Basic Theorem 

Theorem 16. For positive integers I and k, suppose that there exists an s x t 
binary matrix Q such as follows. 

(1) s > mcix{Z, fc + 1} and t > mcix{Z, A; + l}. 

(2) VF(Q7 i) > fc + 1 for any t x 1 vector 7x such that 1 < W^yi) <1. 

(3) W{~f 2 Q) > A: + 1 for any 1X5 vector 72 such that 1 < 1^(72) < 1. 

Now define 

f{xi,...,x^,yi,...,yt) = © y(xi, . . . .xj , (4) 

where g{x\, . . . ,Xs) is any function and n = s + t. Then f satisfies PC{1) of 
order k. 



Proof. Keep any k input bits constant. Without loss of generality, we can assume 
that 

Xl — b\ ^ ... J Xy^ by^ yi Cj , . . . , Py Cy^ 

where u + v = k, u<s and v < t. Substitute these bits into / cind let 

f (x^.|-i , . . . , X3 , , . . . , 2/t) — /(hi , . . . , Xu4-i , . . . , X5 , Cl , . , . , Cx, , i/v+i 1 • • • » 3 /t) ■ 

We have to prove that /(x) © /(x © a) is balanced for any a such that 1 < 
W(a) < 1. For simplicity, we show a proof for 1 = 2. The proof for / > 3 is 
similar. 

For W(a) = 2, define 



Df A p 



DXy+iX 



u-f 



1 ) ■ • ‘ • * - T 2/i ) ^ fi' • • t © 1, ... , Xy + j ® 1, . . .) 



Df ^ 

- = f{Xy.^.i , . . . , Xj , t/v +1 j • • • 1 1 /f ) ® /(• ■ • iVv + i ® 1 ) - • ■ ! 3 /u+l ® !)■••) 



^Vv+iVv+j 



■ . ,Xs,y„+i,. . .,yi) ©/(- ■ © 1, . . -jyv+j © 1, ■ • • 






Let qi be the i-th column vector of Q and pi be the i-th row vector of Q. First, 
we obtain 



_ — [hi , ... ,by, Xti+1, . . . , Xj] . (5) 

^Vv + iVv+j 

From condition (2) of this theorem, ©y„4-_, ) > A: + 1. On the other hand, 

u < k. Therefore, the right hand side of (5) is a non-constant affine function. 
Hence, is balanced from Proposition 2. 

Next, for g, define 



1 • • • 1 ^5 ) — ff(hl , - - • , hxx, Xxx.|_i , • • • , X5) . 




440 



Further, define 



Dg 



and 



Dg 



Dxu+iX 






similarly to /. Then we obtain 



^ 

Dxu+iX 



U+j 



— i.Pu+ 1 ® Pu + j ) [^1 j - - - j j Vv-\-i 1 • • ‘ 1 3 /t ] 



Dg 

DXu-^iXu^j 



From condition (3) of this theorem, VF(pu+i®p„+j) > fc + 1. On the other hand, 
V < k. Therefore, {pu+i © P«+i)[ci , - - . , c^,Vv+t, ■■■, VtV ^ non-constant affine 
function. Hence, Df /Dx^+iX^j^j is balanced from Proposition 3. 

Finally, we have 



2i_ 

D X iV V -\^ j 



> - - * 7 ^V) 

©[6i 

5 • - ‘ 1 1 T • ' - 5 Xs]Qv+j 



Dg 

DX'tx~\-i 



Here, pu+i\ci, . . . ,Cy, . . . , j/t]^ is a non-constant affine function since v < k 
and VF(p„+i) > fc -|- 1. Hence, Df/Dxy,^iy-u+j is balanced from Proposition 3. 

Thus, we have proved that f{x) © /(x ® a) is balanced for any a such that 
W{a) = 2. Similarly, we can show that it is balanced for VF(a) = 1. Conse- 
quently, / satisfies PC(2) of order k. □ 



3.2 How to Find Q 

This subsection shows that the matrix Q of Theorem 16 can be obtained by 
using generator matrices of error correcting codes. 

Definition 17. A linear [A'^, h, d] code is a binary linear code of length N, di- 
mension h and the minimum Hamming distance at least d. 

Definition 18. The dual code of a linear code C is defined as 

C'^ = {n I « • a = 0 for all a £ C} . 

The dual minimum Hamming distance of C is defined as the minimum Hamming 
distance of C'-'-. 

Theorem 19. Let Gi be a generator matrix of a linear [t, h, di] code Ci with the 
dual minimum Hamming distance d[. Let G 2 be a generator matrix of a linear 
\s,h,d 2 \ code C 2 with the dual minimum Hamming distance d^. Let 

Q = Gi'Gi . 

Then Q satisfies the conditions of Theorem 16 for 

I — min(dj,d2) — 1 
k = min(di, d 2 ) — 1 . 




441 



Proof. We first show that Q satisfies condition (2) of Theorem 16. Let 71 be 
a t X 1 vector such that 1 < W( 7 i) < /. 7 i is not a codeword of because 
< I < d[. Then, 

Gi7i 0 

because Gi is a parity check matrix of Cf-. Therefore, 



Q 71 =<?2(<?l7l) 



is a nonzero codeword of C 2 because G 2 is a generator matrix of C 2 . Hence, 

W{Qyi)>d2 >k+l. 

Similarly, Q satisfies condition (3) of Theorem 16. □ 

By using Theorem 19, we can obtain the following results, for example. 

Proposition 20. [6, p. 30] Let C 6e a [2'' — 1, 2'' — 1 — r, 3] Hamming code. Then 
C-*- is a [2^ — l,r, 2’'“^] simplex cade. 

Corollary 21. Forr > 2, there exists 

(1) a PC(2’'“^ — 1) of order 2 function such that n = 2’'+^ — 2 and 

(2) a PC{2) of order 2’~~^ — 1 function such that n = 2’'‘*'^ — 2. 

Proposition 22. [6, p.SlJ Let C be a [2'", 2’' — 1 — r, 4] extended Hamming code. 
Then C-^ is a [2’",r + 1,2''“^] first order Reed-Muller code. 

Corollary 23. Forr > 2, there exists 

(1) a PC{2^~^ — 1) of order 3 function such that n = 2'^'^^ and 

(2) a PC{3) of order 2'“”^ — 1 function such that n = 2’'"*'^. 



4 Balance, Large Degree and High Nonlinearity 

We can obtain “balanced” PC(Z) of order k functions by choosing g appropriately 
in Theorem 16. Large degree and high nonlinearity can also be obtained. 

4.1 Balanced PC(Z) of Order k 

Definition 24. We say that g is balanced for a matrix Q if 

|{a: I g{x) -Q,xQ = 0}| = |{a; | g{x) = l,xQ = 0}| . (6) 

Theorem 25. In ( 4 ), f is balanced if g is balanced for Q . 




442 



Proof. Substitute Xi = bi, ... ,Xs = into (4), where bi,...,bg are constant 
bits. Then we have 

f{i>i,-..,bs,yi,..-,yt) = [bi, . . . ,b^]Q[yi, . . . ,yt]'^ ® g{bi, . . . ,b,) . (7) 

If [J>i, . . . , bg]Q ^ 0, the right hand side of (7) is a non-constant affine function. 
Therefore, f {bi, ... ,bs,yi, ... ,yt) is bcdanced from Proposition 2. For [hj , . . . , hj] 
such that [6i, . . . , 6j]Q = 0, we have 

f{bi,...,bs,yi,...,yt) = g(bi,...,bs) . 

Then because g is balanced for Q, we see that /(xi , ... ,Xg,yi, ... ,i/t) is balanced 
for Q for any fixed (yi,..., yt). 

Consequently, /(xi , . . . , x^, , . . . , j/t) is balanced. □ 



We can find such g in the following way. 

Lemma 26. Suppose that g{xi, . . . ,x„) is written as 

g{xi, .. . ,Xs) = aixi ® ® UsXs (8) 

if [xi, . . . , x„]<5 = 0. Then g is balanced for Q if and only if [ai , . . . , is 
linearly independent of the columns of Q. 

Proof. First, it is easy to see that g of (8) is balanced for Q if and only if there 
is an X such that 

xQ = 0 but g{x) = 1 . (9) 

This condition is equivalent to say that the kernel (zero space) of is not 
contained in the zero space of the linecir mapping 

3 (x) = [tti,...,a^]x^ . 

This holds if and only if [oj , . . . , a^] is linearly independent of the rows of . □ 

Corollary 27. Let xQ = [/ii(x), . . . , ht(x)]. Define 

g{xi,. ..,Xg) = ttixi 0 • ■ • ® a^Xa 0 hi{x)h 2 {x) . . .ht{x)H{x) , 



where H{x) is any function. Then g is balanced for Q if and only z/ [aj , . . . , 
is linearly independent of the columns of Q. 

Another way of finding a balanced g for Q is to write its truth table. 




443 



4.2 Large Degree and High Nonlinearity 

In (4), we can obtain deg(/) = s by letting 

= Xi . . . . 

Further, PC(/) of order k functions which possess high nonlinearity and large 
degree at the same time can be obtained as follows. 

Theorem 28. There exists a PC{1) of order k function f such that 

— deg(/) = s/2 and N{f) > 2*"*"’“* — 2*+*^^“* for s =even. 

— deg(/) = (s — l)/2 and N{f) > for s =odd, 

where s and t are defined in Theorem 16. 



Proof. For s =even, there exists a bent function g{xi , . . . , x^) such that deg(g) = 
s/2. By choosing this g in (4), we obtain deg(/) = s/2. Next, we compute the dis- 
tance between this f and an affine function A{xi, . . . ,Xs,y\, . ■ . ,yt). Substitute 
yi = Cl, . . .yt = ct into / and A, where Ci,. .. ,Ct are constant bits. Let 

) • • • ) — gi.^1 } • ■ ■ 1 ^ 1 ’ • • ^ ^ s'} 

-do(^l A(^Xi, , Xg, Cl, ... Ct} , 



where 

Then 



d{f,A) 



B(xi,...,Xg) = [xi,...,X3]<5[ci,...C(]^ . 

d{fo,Ao)= d{g^B,Ao) 

^ d{g,Ao9B)> Y, N{g) = 2\2^-^ 



from Proposition 7. The above inequality holds for any affine function A. There- 
fore, N{f) > 2‘(2*-i -2^/2-1). 

For s = odd, let g(xj, . . . ,Xs_i) be a bent function with degree (s — l)/2 and 
let g{xi, . . . ,Xs) = g{xi, . . . ,Xj_i). (Bent functions exist only for s = even.) □ 



Compare Theorem 28 with Proposition 6. Then we see that the above N{f) 
is almost the maximum if t is small. (From condition (1) of Theorem 16, t > 
max{f, k 1}, though.) 



5 Balanced SAC(fc) with the Maximum Degree 

Proposition 10 gives an upper bound on the degree of SAC(fc) functions. In 
Sect. 5.2, we will show that this bound is tight for k < n/2 — \. Further, Sect. 5.3 
will show that this bound is tight even for balanced SAC(fc) functions for k < 
n/2 — 1 and n — k — l=odd. 




444 



5.1 How to Design SAC(fc) Functions 

First, we can obtain SAC(fc) functions as a special Ccise of Theorem 16. 
Corollary 29. Let 

f {^1: ■ - • 5 ) — (^1 © ' ' ■ © ^n — A: — 1 ©* * j ^n — A — 1 ) ^ 

■where g{xi, . . . ,Xn-k~i) w any function. Then f satisfies SAC{k) z/fc < ^ — 1. 
Proof. In Theorem 16, let 

Q = the (n — A: — l)x(fc+l) matrix whose elements are all one. (11) 
Ifn — fc— 1 >fc + l,<5 satisfies conditions (2) and (3) of Theorem 16 for / = 1. □ 

5.2 SAC(fc) with the Maximum Degree 

Theorem 30. There exists an SAC{k) function /(xj , . . . , ixhich meets the 
equality of (3) for k < f — 1- 

Proof. In Corollary 29, let </(xi, . . . ,x„_fc_i) — . . . Xn-k-i- Then we obtain 

deg(/) = n — k — 1 and the equality of (3) is satisfied. □ 

Remark. Proposition 11 shows that Proposition 10 is tight for A: = n, — 2 and 
n — 3. 

5.3 Balanced SAC(A:) with the Maximum Degree 

Theorem 31. There exists a balanced SAC{k) function f{xi ,... , x^) which meets 
the equality of (3) if k ■< ^ — I and k — n — 1 — odd. 

Proof. In (10), let 

y(xj,...,Xn — Zc — l) — ©'**© 1 ^Ti — A — 1 © • Xn~k~l ) 

where 

[ai,...,a„_fc_i]^[0,...,0], . (12) 

We show that this g is balanced for Q, where Q is given by (11). Let x = 
[xj, . . . , x„_jt_i]. Note that xj . . . x„_t,_i = 0 if W[x) <n — k — \ =(odd). Also, 
W{x) — even if xQ = 0. Therefore, xi , . .Xn-k-i = 0 if W(i) =even and hence 
if xQ = 0. Hence, 

y(xj , . . . , Xn— A;~i ) = 0 • * • 0 a„_x._xX„_X:— 1 

if xQ = 0. Further, [ai,...,aj] satisfying (12) is linearly independent of the 
columns of Q. Then g is balanced for Q from Lemma 26. 

Consequently, / of (10) is balanced from Theorem 25. □ 




445 



Theorem 32. For k — n — 1 = even, there exists a balanced SAC{k) function 
such that deg(/) — n — k ~ 2. 

Proof. Let 

q{x\ , . . . , Xn~k~\) — — ' * - ^n — A: — 1 i 

where 

[ai , . . . , a„_fc_i] ^ [0, . . . , 0], [1, . . . , 1] 

We can show that g is balanced for Q, where Q is given by (11). □ 

It will be a further work to find a tight upper bound on deg(/) of balanced 
SAC(A;) functions foin — k — 1 = even. 

Remark. 

(1) For balanced SAC(n — 2) functions, see Proposition 15. 

(2) Lloyd [5] showed a condition such that SAC(n — 3) functions arc balanced. 

(3) Balanced SAC functions with high nonlinearity were constructed by [14]. 
Recently, other balanced SAC functions were given by [16]. 

6 Extension to Vector Output Boolean Functions 

In this section, we extend our technique to vector output Boolean functions. 

6.1 General Results 

Let F denote a mapping from {0, 1}" to {0, 1}'”. We say that F is uniformly 
distributed if 

l{r|F(a:) = /3}l=2”— 

for any p € {0, 1}”*. 

Definition 33. We say that F{xi, . . . ,Xn) = [fi,---,fm] is an (n., m)-SAC(fc) 
function if any nonzero linear combination of /i, . ■ - , /m satisfies SAC(fc). 

Definition 34. We say that F{xi, . . . ,Xn) = [fi, - ■ ■ , fm] is an (n,m)-PC(l) of 
order k function if any nonzero linear combination of fi, . . . , fm satisfies PC(1) 
of order k. 

From Theorem 16, we obtain the following corollary. 

Corollary 35. Suppose that there exist sxt binary matrices Qi, ■ ■ . ,Qm such 
that any nonzero linear combination of Qi, ... , satisfies the conditions of 
Theorem 16. For 1 < i < m, let 

fii^h • • • t » 2/l T ‘ ? 2/i) — [^1 ) • • • j ^s]Qi[yi i**'?yt] y 

where gi is any function. Then F — [/i , . . . , fm] is an (s + t,m)-PC{l) of order 
k function. 




446 



Definition 36. For F(a;i, . . . ,x„) = define 



deg(F) = mindeg(ai/i © ■ - • © a„/„), 

N{F) ^miniV{ai/i 

where min is taken over all nonzero binary vectors [aj , . . . , a^] . 

Corollary 37. In Corollary 35, 

(1) let = xi . . .Xsjxi. Then deg(F) = s — 1 if m < s. 

(2) For s = even and m < s/2, let [gi, . . . ,gm] be a vector output bent function 
given by [9], Then N{f) > 

(3) If s — odd and m < (s — l)/2, we can obtain N(f) > 

The following corollary is obtained from Theorem 19. 

Corollary 38. Suppose that there exist 

(1) a linear [t,h,k+ 1 ] code with the dual minimum Hamming distance at least 
I + 1 and 

(2) m matrices G 2 ,i, . . - t? 2 ,m such that any nonzero linear combination of them 
is a generator matrix of a linear [s,h, fc + 1 ] code with the dual minimum 
Hamming distance at least I + 1. 

Let Qi = for 1 < i < m. Then Qi, . . . , Qm satisfy the condition of 

Corollary 35. 

6.2 Vector Output PC(a) of Order k 

Proposition 39. [9] Consider a linear feedback shift register of length r and 
with a primitive feedback polynomial. Let D be the state transition function of 
such a shift register. Then D is a permutation of the space ZJ as well as the 
powers D' of D, where 

= Do - oD, . 

Moreover, any nonzero linear combination of I , D, , . . . , is also a per- 

mutation. 

Lemma 40. For any r > 2, there exist matrices G 24 , . . . , G 2 ,r such that any 
nonzero linear combination of them is a generator matrix of the [2^ — l,r, 2'‘~^] 
simplex code. 

Proof. Let [*i, . . . ,v] be the binary representation of i. 

(1) Let G 2 ,i be a r X (2'" — 1) matrix such that the i-th column vector is 




447 



(2) For 2 < j < r, let be a r x (2’" — 1) matrix such that the ?-th column 
vector is . . . ,ir). 

Then any nonzero linear combination of G 24 , ■ - . , (j 2 ,r is a parity check matrix of 
a [2’’ — 1, 2'' — 1 — r, 3] Hamming code by Proposition 39. Equivalently, any nonzero 
linear combination of G 24 , . . - ,G 2 ,r is a generator matrix of a [ 2 ^ — l,r, 2 ^“'^] 
simplex code. □ 

Theorem41. Fott>2, 

(1 ) there exists a (2’’+^ — 2,r)-PC{2) of order 2^~^ — 1 function F with 

deg(F) = 2 '- - 2 . 

(2) there exists a (2’"'"^ — 2,r)-PC(2) of order 2''“^ — 1 function F with 

N{F) > . 

Proof. First, there exists a [2'' — l,r, 2'"“^] simplex code (see Proposition 20). 
Next, there exist matrices ^ 2 , 1 ,. . . ,G 2 ,r such that any nonzero linear combina- 
tion of them is a generator matrix of a [ 2 '' — l,r, 2''“*] simplex code from Lemma 
40. Finally, the dual Hamming distance of a [2^^ — l,r, 2^“^] simplex code is 3. 
Hence, the conditions of Corollary 38 are satisfied. 

Finally, apply Corollary 37 with s = t = 2’’ — 1 . □ 



6.3 Vector Output SAC(fc) 



Theorem 42. For any s > 0, 



(1) there exists a (2s, s — 1)-5t1C(1) function F with deg(F) = s — 1. 

(2) there exists a (2s, s — 1)-5AC(1) function F with 




— 2 *^^^ * if s — even 
_ 2 ( 3 s- 1)/2 if s — odd . 



Proof. Let I = (ei, . . . ,Cj) be the s x s identity matrix and let P be a permu- 
tation matrix such that P = ( 6 ^, 61 , 62 , . . . Define 

Q. = P(*-1)(J-|-P) (13) 

for 1 < t < s — 1 . We show that <5i, • - satisfy the condition of Corollary 

35, that is the conditions of Theorem 16 with s = t. Let 



Q — aiQi -h • • • -H , 

where [ai , . . . , aa_i] ^ [0, . . . , 0] . Let qi be the j-th column vector of Q and pi be 
the i-th row vector of Q. Without loss of generality, we can assume that 

(1) tti = ■ - • = a^-i = 1 or 

(2) Oi = • • • = ttj = 1 and = 0 for some 1 < j < s — 2. 




448 



In case 1, 



Q = / + P*“i . 



In case 2, 

Q^I + PJ +X , 

where X cancels no elements of / + P-'. In any case, W{qi) > 2 for any i and 
^(Pi) ^ 2 for any i. Thus, the conditions of Theorem 16 are satisfied for 1 = 1. 
Finally, apply Corollary 37. □ 

Theorem 42 can be generalized as follows. 

Theorem 43. For any k > 0 and any s > fc + 1, let 

y=[{k + l)/2] , m = L(s - fc - l )/7 + IJ . 



Then 

(1) there exists a {2s,m)-SAC{k) function F with deg(P) = s — 1. 

(2) there exists a (2s,m)-SAC(k) function F with 



N{F) > 



22 *-i _ 22 s /2 1 if s = even 

22s-1 _ 2(3a-l)/2 if g = od^ , 



Remark. In [3], we showed that there exists an (n, m)-SAC(A:) function F if there 
exists a linear [A'', m, fc + 1] code such that 



f n — 1 if n is even 
I n — 2 if Ti is odd . 



(14) 



In this construction, 

(1) deg(P) and N{F) are small. Actually, deg(P) = 2. 

(2) However, m can be larger than that of Theorem 42 and Theorem 43. 

In other words, there is a tradeoff between the construction of [3] and Theorem 
42 and Theorem 43 of this paper. 



Acknowledgments 

We would like to thank the anonymous referees for helpful comments. Especially, 
lemma 4.1 was improved. 




449 



References 

1. R. Forre. The strict avalanche criterion : spectral properties of Boolean functions 
and an extend definition. In Advances in Cryptology — CRYPTO ’88 Proceedings, 
Lecture Notes in Computer Science 403, pages 450-468. Springer- Verlag, 1990. 

2. T. Jakobsen and L.R. Knudsen. The interpolation attack on block ciphers. In 
Preproc. of Fast Software Encryption, pages 28-40. January, 1997. 

3. K. Kurosawa and T. Satoh. Generalization of higher order SAC to vector output 
Boolean functions. In Advances in Cryptology — ASIACRYPT ’96 Proceedings, 
Lecture Notes in Computer Science 1163, pages 218-231. Springer-Verlag, 1996. 

4. S. Lidl and Niederreiter. Finite Fields, Encyclopedia of Mathematics and Its Appli- 
cations 20. Cambridge University Press, 1983. 

5. S. Lloyd. Counting binary functions with certain cryptographic properties. Journal 
of Cryptology, 5.T07-131, 1992. 

6. F. J. MacWilliams and N. J. A. Sloane. The theory of error- correcting codes. North- 
Holland Publishing Company, 1977. 

7. M. Matsui. Linear cryptanalysis method for DES cipher. In Advances in Cryptology 
— EUROCRYPT ’93 Proceedings, Lecture Notes in Computer Science 765, pages 
386-397. Springer- V^erlag, 1994. 

8. W. Meier and O. Staffelbach. Nonlinearity criteria for cryptographic functions. In 
Advances in Cryptology — EUROCRYPT ’89 Proceedings, Lecture Notes m Com- 
puter Science 434, pages 549-562. Springer-Verlag, 1990. 

9. K. Nyberg. Perfect nonlinear S-boxes. In Advances in Cryptology — EUROCRYPT 
’91 Proceedings, Lecture Notes in Computer Science 547, pages 378-386. Springer- 
Verlag, 1991. 

10. J. Pieprzyk and G. Finkelstein. Towards effective nonlinear cryptosystem design. 
lEE Proceedings Part E, 35(6):325-335, November 1988. 

11. B. Preneel, W. Van Leekwijck, L. Van Linden, R. Govaerts, and J. Vandewalle. 
Propagation characteristics of Boolean functions. In Advances in Cryptology — 
EUROCRYPT ’90 Proceedings, Lecture Notes in Computer Science 47li, pages 161- 
173. Springer-Verlag, 1991. 

12. B. Preneel, R. Govaerts, and J. Vandewalle. Boolean functions satisfying higher 
order propagation criteria. In Advances in Cryptology — EUROCRYPT ’91 Pro- 
ceedings, Lecture Notes in Computer Science 547, pages 141-152. Springer-Verlag, 
1991. 

13. O. S. Rothaus. On bent functions. Journal of Combinatorial Theory (A), 20:300- 
305, 1976. 

14. J. Seberry and X.M. Zhang. Highly nonlinear 0-1 balanced Boolean functions 
satisfying strict avalanche criterion. In Advances in Cryptology — AUSCRYPT ’92 
Proceedings, Lecture Notes in Computer Science 718. Springer-Verlag, 1993. 

15. A. F. Webster and S. E. Tavares. On the design of S-boxes. In Advances in Cryp- 
tology — CRYPTO ’85 Proceedings, Lecture Notes in Computer Science 218, pages 
523-534. Springer-Verlag, 1986. 

16. A. M. Youssef, T. W. Cusick, P. Stanica, and S. E. Tavares. New bounds on the 
number of functions satisfying the strict avalanche criterion. In Third Annual Work- 
shop on Selected Areas in Cryptography, 1996. 




Distributed “Magic Ink” Signatures 



Markus Jakobsson* Moti Yung ^ 



Abstract 

The physical anzilog of “blind signatures” of Chaum is a document 
and a carbon paper put into an envelope, allowing the signer to transfer 
his signature onto the document by signing on the envelope, and without 
opening it. Only the receiver can present the signed document while the 
signer cannot “unbllnd* its signature and get the document signed. 

When an authority signs “access tokens”, “electronic coins”, “creden- 
tials” or “passports” , it makes sense to assume that whereas the users can 
typically enjoy the disassociation of the blindly signed token and the token 
itself (i.e. anonymity and privacy), there may be cases which require “un- 
blinding” of a signature by the signing authority itself (to establish what 
is known as “audit trail” and to “revoke anonymity” in case of criminal 
activity). 

This leads us to consider a new notion of signature with the following 
physical parallel; The signer places a piece of paper with a carbon paper 
on top in an envelope as before (but the document on the paper is not yet 
written). The receiver then writes the document on the envelope using 
magic ink, e.g., ink that is only visible after being “developed”. Due to 
the carbon copy, this results in the document being written in visible ink 
on the internal paper. Then, the signer signs the envelope (so its signature 
on the document is made available). The receiver gets the internal paper 
and the signer retains the envelope with the magic ink copy. Should the 
signer need to unblind the document, he can develop the magic ink and 
get the document copy on the envelope. Note that the signing is not 
blinded forever to the signer. We call this new type of signature a magic 
ink signature. 

We present an efficient method for distributively generating magic ink 
signatures, requiring a quorum of servers to produce a signature and a 
(possibly different) quorum to unblind a signature. The scheme is robust, 
and the unblinding is guaranteed to work even if a set of up to a threshold 
of signers refuses to cooperate, or actively cheats during either the signing 
or the unblinding protocol. We base our specific implementation on the 
DSS algorithm. Our construction demonstrates the extended power of 
distributed signing. 

’Department of Computer Science and Engineering, University of California, San Diego. 
markusScs . uesd . edu 

ICertCo, New York, NY. mot iScs. Columbia. edu, raoti®certco.cora 



W. Fumy (Ed.): Advances in Cryptology - EUROCRYPT ’97, LNCS 1233, pp. 450-464, 1997. 
© Springer-Verlag Berlin Heidelberg 1997 





451 



1 Introduction 

In recent years, various notions of distribution of cryptographic functions (sig- 
nature and encryption) among independent agents were considered. The typical 
added functionality of such a distribution include increased security of the se- 
cret key, increased availability of service, and increased flexibility of access, the 
latter by requiring a quorum to access information (as in, e.g., [9, 12, 20]). All 
these notions are functionality of distributed computing. 

In this work we suggest that the distributed signature setting also provides 
for extended functionality by enabling “a new notion of signature itself” which 
is otherwise impossible (owing to the added control in this case). The notion 
we speciflcally suggest is that of “Magic Ink Signatures” . In such a signature 
service, the signer blindly signs a message for a receiver, while retaining the 
capability to “unblind” the signature (analogous to developing “Magic Ink”), at 
any later point. What the distribution enables us is to implement the unblinding 
with separation in time - i.e., allowing the development of the “Magic Ink” at 
some point, but not earlier. This is impossible in the centralized case (what the 
signer can do at some point it can do earlier if there is no limiting factor such 
as the “Quorum Control” in the distributed case). 

Note that requiring various actions of a quorum of distributed agents re- 
garding a specific signature value needs a careful flexible design. For example, 
we cannot require that in each action the same identical quorum of agents be 
present. Requiring this may, paradoxically, reduce the availability of the service 
as the distribution level grows (whereas one of the initial reasons in distributing 
the service was increased availability). For the same reason, and quite counter- 
intuitively, it may also force us to put more trust in individual servers with a 
higher degree of distribution, unless care is taken. 

The magic ink signature enables the generation of blind signatures which 
can later be unblinded by the signer (following the physical analogue given in 
the abstract). This is in sharp contrast with traditional blind signatures, which 
are information theoretically blinded to the signer [5] . The typical application 
where the need for unblinding arises is for cases where “privacy of individu- 
als” is assured until some criminal or otherwise unusual activity is detected. 
Upon detection, identification of the origin of a signature becomes important 
in identifying the source of the unwanted activity. This is applied to private 
access tokens, authorized anonymous accounts, and electronic-money. Regard- 
ing the later setting, Chaum, Fiat and Naor’s [7] original off-line scheme (and 
its follow-ups) offered perfect anonymity. However, the absolute privacy feature 
of all these schemes is not only beneficial to honest users, but also to criminal 
offenders, as it makes perfect crimes possible [2, 4, 8, 11, 18, 23, 25]: Various 
methods for anonymity revocation are suggested in some of these works men- 
tioned. In “fair blind signatures” [3, 8, 11, 25], a signature receiver puts a 
pseudonym into the signature, allowing a third party (a judge) to later unblind 
the signature by calculating a pseudonym from a signature or vice versa. Magic 




452 



ink signatures are the “distributed cousins” of fair blind signatures, increasing 
the availability and lowering the amount of trust required (no need to employ 
a third party beyond the distributed signing agents and using quorum control 
to assure separation of duties). Magic ink signatures is a generic tool for blind 
signature generation, enabling the possibility of unblinding selected blind signa- 
tures by the signer - but only under quorum agreement to do so. The method 
is applied to a payment scheme with revocable privacy in [17, 19]. We note 
that it is easy to apply proactive methods [14, 15] to our suggested solution, for 
maximum security and availability. 

Organization: We present a magic ink signature scheme that is robust, ensur- 
ing that as long as a quorum of (a plurality of honest) servers cooperate, they 
will always be able to unblind a given signature. Thus, we ensure availability 
and a high degree of distribution and reduced degree of trust required from an 
individual server. We first specify the notion of magic ink signatures, and the 
format of DSS signatures. Then, in section 3, we present the intuitive approach 
of magic ink DSS signatures. In section 4, we explain the model, our assump- 
tions, and the tools we utilize. Among these is a new construction of robustness 
applicable to certain distributed protocols. This is followed by a protocol for 
magic ink generation of DSS signatures in section 5. In section 6, we elaborate 
on the robustness of the scheme and we claim its properties in section 7 and the 
Appendix. 

2 Requirements and Background 

Specifications: We wish to obtain a signature scheme where blind signatures 
can be distributively produced by a quorum of trustees, and these signatures 
can always be unblinded by a (possibly different) quorum (assuming a certain 
linear-fraction majority of honest trustees). We specify the following properties: 

• Signatures are generated using a (t, n) threshold scheme by any t out of 
the n trustees. Less than t trustees cannot generate a valid signature. 

• The signatures are computationally blinded to any set of less than t 
trustees (i.e., the signature cannot be correlated to the blinded signature 
or the signing session by a set of less than t trustees.) 

• Valid signatures can be unblinded, i.e., signatures matched to signing ses- 
sion or vice versa, by any t out of the n trustees, regardless of the behavior 
of the other n — t trustees and the signature receiver. 

• Furthermore, we want signatures generated by an attacker who compro- 
mises the secret key of less than t signers (or forces these signers to sign 
using a protocol different than the specified) to be identifiable by any t of 
the signers (i.e., having an audit trail of legal signatures). 




453 



2.1 The Digital Signature Standard (DSS) 

We use the DSS (described herein) as the underlying signature algorithm [21]. 

Note: Since we use different moduli at different times, we use [op]^ to denote 
the operation op modulo z, where this is not clear from the context. 

Key Generation. A DSS key is composed of public information p, q,g, a public 
key y and a secret key x, where: 

1. p is a prime number of length / where / is a multiple of 64 and 512 < I < 1024. 

2. g is a 160-bit prime divisor of p — 1. 

3. g is an element of order q in Z*. The triple (p, q, g) is public. 

4. X is the secret key of the signer, a random number \ < x < q. 
y — [^^]p is the public verification key. 

Signature Algorithm. Let m £ Zq he a hash of the message to be signed. 
The signer picks a random number k such that 1 < k < q, calculates k~^ mod q 
(w.l.o.g. k and k~^ values compared to DSA description are interchanged), and 
sets 

^ = [[/"y, 

s = [l;(m + xr)]^ 

The pair (r, s) is a signature of m. 

Verification Algorithm. A signature (r, s) of a message m can be publicly 
verified by checking that r — [[p"** p’"’ ]p]q- 

3 Single-Server (Pseudo) Magic Ink Signatures 

In order to communicate the intuition of our scheme, we present a method for 
producing Magic Ink DSS Signatures using only one signing server (which will 
be able to unblind the signature at will at any time). However, when we later 
distribute the signature server, signing and unblinding both will require quorum 
agreement . 

3.1 (Pseudo) magic ink generation of DSS signatures 

1. The signature receiver R hzis a hashed message m E Zq that he wants 
signed. He generates two blinding factors, a,b G« Zq, and computes a 
blinding of m, p = [ma]^. R sends p to the signature generating server S. 

2. S generates a random secret session key, G„ Zq, and computes r = 
[g^ ]pi which is sent to the signature receiver R. 

3. The signature receiver R computes r = [[f^lpj^i and computes a blinding 
p of r: p = [ra]^. R sends p to the signature generating server. 




454 



4. S generates a tag tag and the DSS signature a on the message fi, using 
the public session key p. Here, tag is calculated first (which we describe 
how to do below), after which cr is calculated as follows: a = [k{p + xp)]^. 
The server sends a to R. 

5. The signature receiver R unblinds the signature; s = The 

triple (m, r, s) is a valid DSS signature on m. 



Theorem 1: The protocol produces correct DSS signatures. 

Proof of Theorem 1: 

Recall that a =g k(p + xp), s =g aa~^b~^, m pa~^, and y =p ■ We 
can describe r either as r = [[ 3 *^ *]p]^ (from the point of view of information 
going from the signer(s) to the receiver) or as r = (from the point of 

view of information going back from the receiver to the signer(s)). We have that 

Thus, the protocol generates valid DSS signatures. □ 

3.2 Generation of tags 

Let us start by making the following observation; 

Signature- View Invririant: Let identify a valid signature (m, r, s), 

and [p,p) part of the the view of the signer during a signature generation 
session. We have: mr~^ =5 pp~^ , since p = [moj^ and p = [raj^ for a valid 
signature. 

Justification: We have a = [A;(/r + xp)]^ for (p,p) generated by R. Linear com- 
binations of more than one such signature are not known to give a signature of 
the valid form (due to the use of different values of k of different signatures; and 
implied by our assumption of existential unforgeability of this type of signatures) 
so we will only consider operations on one signature. Multiplying the value a by 
a coefficient can maintain a valid signature; two such manipulations are known: 
First, for s = and (m,r) = ([pa],j, [pa]^) we have that (m, r, s) is still a 

1 , 

valid signature. Second, for s = [<r 6 ]^, and (m, r) = (p, p) = (p, [[fit ]p]^), we 
have that (m, r, s) is also a valid signature. For both of these manipulations, the 
invariant holds, and no other applicable blinding methods are known. There- 
fore, any way of obtaining a valid signature (m, r, s) for which m/r p/p, 
would give a new method for blinding of signatures of this type. 




455 



Use for tagging: We will use the signature-view invariant for the produc- 
tion of tags, which will be (possibly distributedly stored results of) a function of 
[f^P~^]q- Consider the following tagging method; The signature servers distribu- 
tively generate and keep a marker (session tag) specific to the signing session, 
and a distributed tag (unknown to any subset of less than t servers). Together, 
these can be used to distributively calculate the invariant [m/r]^ of the related 
session, which can be output and compared to a signature invariant (beised on 
m and r) or distributively (secretly) compared to a given invariant. 

3.3 Tracing 

There are three types of tracing we can perform: 

1. From known signing session to signed message: The signature in- 
variant is calculated from the tag and the marker of a given session. 

2. From known signed message to signing session: The given signa- 
ture invariant is distributively compared to the signature invariant of each 
potential session, which is distributively calculated from the tag and the 
marker of a given session. 

3. By comparison: The given signature invariant is distributively com- 
pared to the signature invariant of the given session. 

4 Model and Tools 

4.1 Communication and Threat Model 

We assume the standard computational model of polynomial-time randomized 
Turing machines. Players are connected by an insecure broadcast medium, and 
an (also polynomial time limited) adversary can inject messages and eavesdrop, 
but not disconnect any other player from the network. Furthermore, the adver- 
sary can corrupt up to < — 1 of the n players in the network, and by doing so, 
force the corrupted players to divert from the specified protocol arbitrarily. See 
[12] for more details about the model. 

4.2 Assumptions 

We will rely on the following cissumptions: 

1. The Undeniable Signature Assumption [6] holds (i.e., given an input quadru- 
ple (m, s, g, y), it is hard to decide whether logmS = loggjj, unless x = loggU 
is known.) This implies that the Discrete Log problem is not in BPP, and 
that Pedersen’s secret sharing scheme [22] is secure on random secrets. 




456 



2. The DSS signature scheme where the signature receiver is allowed to spec- 
ify the message m to be signed after seeing the value ]p is secure 
against a chosen message attack. 

4.3 Tools 

Let us briefly describe the existing tools we employ: 

• Polynomial Interpolation Secret Sharing[24]: This is the well-known 
result in which a secret a is shared by choosing at random a polynomial 
f{x) of degree t, such that /(O) = cr. 

• Joint Random Secret Sharing[10, 22]: In a Joint Random Secret Shar- 
ing scheme the players collectively choose shares corresponding to a (t, n)- 
secret sharing of a random value. 

• Joint Zero Secret Sharing[l]: This protocol generates a collective sha.r- 
ing of a “secret” whose value is zero. Such a protocol is similar to the above 
joint random secret sharing protocol but instead of local random secrets 
each player deals a sharing of the value zero. 

• Computing Reciprocals[12j: Given a secret fc mod g which is shared 
among players Pi, ...P„, generate a sharing of the value k~^ mod q, with- 
out revealing information on k and k~^. 

• Multiplication of Secrets[12]: Given two secrets u and v, which are 
both shared among the players, compute the product uv, while maintain- 
ing both of the original values secret (aside from the obvious information 
which is revealed from the result). 

The multiplication of two secrets easily extends to linear combinations and 
products of three secrets, e.g., ki{fii -f X{pi) for secrets k{, pi, Xi, and pi. This 
is achieved without altering the method given in [12]. We also use three new 
tools: 

• Comparison of Secrets: Given two secrets u and v, which are both 
shared among the players (or one is shared one is known), using the above 
tools we can compare their equality without learning the secret values. 

• Undeniable Signature Based Robustness: We introduce the use of 
the verification protocol of undeniable signatures to prove correct expo- 
nentiations. 

• Destructive Robustness: We introduce a new method for making dis- 
tributed protocols robust: Instead of verifying that each individual share 
of the calculation is correct, we first combine the shares and then verify 




457 



that the combined result is correct. If it is not, then each share of the re- 
sult is verified. A minor efficiency improvement is obtained from doing so. 
But more importantly, this approach allows simpler and clearer protocol 
design. This is because we can allow the individual correctness verifica- 
tion to destruct important properties of the produced transcript, which, 
if the combined result is not correct, is a worthless transcript anyway. 
Therefore, we call this type of robustness destructive robustness. 



5 Magic Ink Signature Generation 

5.1 Distributed magic ink generation of DSS signatures 

Let us now consider a distributed version of the protocols previously presented. 
Here, let Q be a quorum of t servers in Si . . .S„: 

1. The signature receiver R has a message m £ that he wants signed. He 

generates two blinding factors, a,b Zq. He then computes a blinding 
of m, p = [ma]^, and a (f,n) secret sharing (pi, . . .p„) of p, with public 
information He sends p; to signature generating server Si- 

2. The set of servers 5i|i £ Q distributively generate a random secret session 

key, k £„ Zq, where server S, has ashare fcj. Server Si publishes and 

using the methods for computing reciprocals in [12], the servers compute 

f = [g^ ]p, which is sent exclusively to the signature receiver R. 

3. The signature receiver R computes r = and blinds this; p = [ra,]^. 

R computes a (f , n) secret sharing (pi , . . . Pn) of p, with public information 
{g'’^ . . .jf'’"). R sends p< to Si. 

4. The set of servers 5i|i £ Q distributively generate the tag tag and the 
DSS signature a on the message p, using the (shared) public session key p. 
Here, tag is calculated first (for which we present a robust protocol below), 
after which cr is calculated as follows; Si generates cr; = [fc;(pi -t Sipi)]^. 
Then, cr = [fc(p + xp)]^ is interpolated from the cr,’s using the method for 
multiplication of secrets in [12]. The servers send a to R. 

5. The signature receiver R unblinds the signature; s = [cra“^A“^]^. The 
triple (m, r, s) is a valid DSS signature on m. 

We note that the proof of correctness is identical to that of the non-distributed 
protocol version, given robust primitives for secret sharing (e.g., [10, 22]), for 
computing reciprocals (e.g., [12]) and for multiplication of secrets (e.g., [12]). 
Also note that we can use standard zero-knowledge techniques to force the re- 
ceiver to prove that the blinding of steps 1 and 3 are consistent. 




458 



5.2 Distributed tag generation and tracing 

Let us review the steps of tagging method previously outlined; At the time of 
signing, /i and p are available distributedly. The servers distributively compute 
\jJ./ p\q (without revealing this value to each other). Also, they select a dis- 
tributed random value [c]^. The servers distributively store this value, and its 
inverse They compute and publish the tag [c{p/ p)]q (given that the com- 

ponents of the multiplication are distributed and secret, this value is random). 
We can now trace from a session to a signature by distributed multiplication of 
the tag by [c~^]j, and comparing the result to the public signature invariant. 
Given a signature invariant \m/r\q, we can distributedly multiply by a value 
[c]j; if the (distributively held) result equals the the published tag, the session 
and the signature indeed match. For comparison of a session to a signature, on 
the other hand, we do not reveal the result of the last multiplication. Rather 
we check distributedly and secretly for equality of the computed multiplication 
and the session tag. Note that the probability of collision of tags is negligible. 

6 Robustness of Signature Generation 

So far, we have not considered the robustness of the signature generation. We 
will employ destructive robustness in order to obtain high efficiency without 
sacrificing anonymity. 

Destructive robustness involves two steps: (1) combination of shares of the 
result, and error detection, by verifying the correctness of the combined result. 
This check can be done either internally (i.e., by the same entities that produced 
the shares) or externally. Then, if the combined result is not correct, the second 
step is invoked: (2) error tracing, in which it is determined which server(s) have 
deviated from the protocol. This kind of robustness is possible in protocols 
where partial incorrect results can be discarded and when we can withstand 
delays of malicious servers revealing themselves in a slow pace. 

We demonstrate an external method of destructive robustness for the gen- 
eration of the blind signature <t on p, using p as public session key: 

1. Share Combination and (External) Error Detection: 

The signature servers send cr to R, who unblinds the result, obtaining a 
triple (m, r, s). If this signature is not valid, then R sends a complaint to 
the signature servers, invoking the next step: 

2. Error Tracing: 

€ Q reveals /ij. If Cj was computed correctly, then g’'’ =p 

=p ((s^')l/i^')*^'- Using a verification protocol for un- 
deniable signatures, S) proves that for some I = {g^')yi^' it is true that 
logig"' = logg{g^'). He then proves that logy^[I{g^''y^) = logg{gP'). A 
server Si is declared a cheater if he refuses to reveal the information, if the 




459 



information is not consistent with the public shares of the secret sharing 
schemes, or if the share s,- sent out earlier was incorrectly computed. 

We see that the above method assures that cheating servers are caught, and 
that no transcript properties are lost when no complaint is filed. Also note that 
if R files a unjustified complaint, then this will be established, since it will be 
found that no server cheated. Finally, note that no secret information of honest 
servers will be leaked to R if R receives an invalid signature transcript. R has no 
motivation to complain about a good signature; this results in early “unblind- 
ing”. Each time a threshold is used and opened, the misbehaving processors are 
eliminated and the process start afresh (to avoid leaking information) based on 
new random choices. This may result in a delay of at most t times, but enables 
f to be a maximal minority n = </2 -t- 1 . Note that the method is applicable due 
to the probabilistic nature of the computation and the care in opening erroneous 
results. 



7 Correctness Claims 

We claim that the scheme satisfies the specification of Magic Ink Signature 
schemes. More specifically, we claim that 

• We generate correct DSS signatures in a robust way, using a (f , n) thresh- 
old scheme (t from [12]). 

• It is not possible for less than t out of n signature servers to correlate a 
signed message to its blinded withdrawal session. 

• It is always possible for t out of n signature servers to correlate a signed 
message to its blinded withdrawal session. 

• It is always possible for t out of n signature servers to distinguish mes- 
sages they signed from messages signed by an attacker who compromised 
their secret key (or forced them to produce a signature in a fully blinded 
manner.) 

The claims are shown to hold in the appendix. 

Finally, we note that key exchange can be reduced to magic-ink signatures 
(one party playing the receiver and the other party plays all signers, and the 
message being the key). Due to blinding, the message (key) is hidden from 
eavesdroppers, but not from the party playing the signers (since it can perform 
“unblinding” internally). This implies the difficulty of designing magic-ink sig- 
nature merely based on the existence of a general one-way permutations [16]. 




460 



8 Acknowledgments 

Thanks to Russell Impagliazzo for numerous discussions, to Jan Camenisch and 
Markus Stadler for pointing out corrections to the initial draft, and to Markus 
Michels, Tal Rabin and Rebecca Wright for helpful comments and remarks. 



References 

[1] M. Ben-Or, S. Goldwasser, A. Wigderson, “Completeness Theorems for 
Non-cryptographic Fault-Tolerant Distributed Computations,” STOC ’88, 

pp. 1-10. 

[2] E. Brickell, P. Cemmell, D. Kravitz, “Trustee-based Tracing Extensions 
to Anonymous Cash and the Making of Anonymous Change,” Proc. 6th 
Annual ACM-SIAM Symposium on Discrete Algorithms (SODA), 1995, 
pp. 457-466. 

[3] J. Camenisch, U. Maurer, M. Stadler, “Digital Payment Systems with 
Passive Anonymity-Revoking Trustees,” Computer Security - ESORICS 
96, volume 1146, pp. 33-43. 

[4] J. Camenisch, J-M. Piveteau, M. Stadler, “An Efficient Fair Payment 
System,” 3rd ACM Conf. on Comp, and Comm. Security, 1996, pp. 88-94. 

[5] D. Chaum, “Blind Signatures for Untraceable Payments,” Advances in 
Cryptology - Proceedings of Crypto ’82, 1983, pp. 199-203. 

[6] D. Chaum, H. Van Antwerpen, “Undeniable Signatures,” Advances in 
Cryptology - Proceedings of Crypto ’89, pp. 212-216. 

[7] D. Chaum, A. Fiat and M. Naor, “Untraceable Electronic Cash,” Ad- 
vances in Cryptology - Proceedings of Crypto ’88, pp. 319-327. 

[8] C.I. Davida, Y. Frankel, Y. Tsiounis, and M, Yung, “Anonymity Control 
in E-Cash Systems,” Financial Cryptography 97. 

[9] Y. Desmedt, Y. Frankel, “Threshold Cryptosystems,” Advances in Cryp- 
tology - Proceedings of Crypto ’89. 

[10] P. Feldman, “A Practical Scheme for Non-Interactive Verifiable Secret 
Sharing” FOCS ’87, pp. 427-437. 

[11] Y. Frankel, Y. Tsiounis, and M. Yung, “Indirect Discourse Proofs: Achiev- 
ing Efficient Fair Off-Line E-Cash,” Advances in Cryptology - Proceedings 
of Asiacrypt 96, pp. 286-300. 




461 



[12] R. Gennaro, S. Jarecki, H. Krawczyk, T. Rabin, “Robust Threshold DSS 
Signatures”, Advances in Cryptology - Proceedings of Eurocrypt ’96, pp. 
354-371. 

[13] S. Goldwasser and S. Micali, “Probabilistic Encryption”. 
J. Comp. Sys. Sci. 28, pp 270-299, 1984. 

[14] A. Herzberg, M. Jakobsson, S. Jarecki, H. Krawczyk, M. Yung, ’’Proac- 
tive Public Key and Signature Systems,” 4th ACM Conf. on Comp, and 
Comm. Security, 1997. 

[15] A. Herzberg, S. Jarecki, H. Krawczyk, M. Yung, “Proactive Secret Shar- 
ing, or How to Cope with Perpetual Leakage,” Advances in Cryptology - 
Proceedings of Crypto ’95. 

[16] R. Impagliazzo and S. Rudich, Limits on the Provable Consequences of 
One-way Permutations, STOC ’89. 

[17] M. Jakobsson, “Privacy vs. Authenticity,” PhD Thesis, University of Cal- 
ifornia, San Diego, Department of Computer Science and Engineering, 
1997. Available at http;//www-cse. ucsd.edu/users/markus/. 

[18] M. Jakobsson and M. Yung, “Revocable and Versatile Electronic Money,” 
3rd ACM Conference on Comp, and Comm. Security, 1996, pp. 76-87. 

[19] M. Jakobsson and M. Yung, “Applying Anti- Trust Policies to Increase 
Trust in a Versatile E-Money System,” Financial Cryptography ’97. 

[20] S. Micali, “Fair Cryptosystems,” Advances in Cryptology - Proceedings 
of Crypto ’92. 

[21] National Institute for Standards and Technology, “Digital Signature Stan- 
dard (DSS),” Federal Register Vol 56(169), Aug 30, 1991. 

[22] T.P. Pedersen, “Distributed Provers with Applications to Undeniable Sig- 
natures,” Advances in Cryptology - Proceedings of Eurocrypt ’91, pp. 
221-242. 

[23] S. von Solms and D. Naccache, “On Blind Signatures and Perfect Crimes,” 
Computers and Security, 11 (1992) pp. 581-583. 

[24] A. Shamir, “How to Share a Secret,” CACM, V. 22, 1979, pp. 612-613. 

[25] M. Stadler, J-M. Piveteau, J. Camenisch, “Fair Blind Signatures,” Ad- 
vances in Cryptology - Proceedings of Eurocrypt ’95, 1995. 




462 



9 Appendix: Correctness and Security 

The magic ink signature generation is correct, as shown in the proof of the 
single-server version (which generates the signature the same way) in section 3, 
and its simulation in the distributed setting (based on [12]). The robustness 
of the signature generation depends on our destructive robustness method for 
random signatures (on top of the non-robust threshold DSS), and the soundness 
of the composed undeniable signature verification. 

Let us next sketch the proof of the additional required properties: that the 
original signature is blinded and that it can be unblinded as well. 

Theorem 2; A coalition of less than t cheating servers cannot, with a non- 
negligible advantage over guessing, correlate a .signature to a signing session. 

Proof of Theorem 2: (Sketch) 

Let Vi and V 2 be the view of a coalition of less than t signing servers for two 
different signing sessions. Let (m,r, s) be a signed message, created in either 
one of these signing sessions, and assume, in order to reach a contradiction, that 
the signed message can be correctly matched to either or V 2 with probability 
I + £, where £ is polynomial in the size of the security parameters. 

We will show that this is not possible by demonstrating that, unless the undeni- 
able signatures assumption is invalid, a polynomial time limited adversary will 
not be able to tell the transcript parts given from random strings. 

We will therefore perform the following thought experiment: We assume that 
we have a random string of the size of the signers’ view during a signature 
generation phase, where each individual part of the string (corresponding to 
a transcript part (communication step) of the generation) is selected from the 
same distribution as its corresponding actual transcript part. Then, we will 
replace the individual parts of the random string with part of a real transcript 
one by one. For each step, we will show that it is not possible for a non-quorum 
of signers to distinguish which of the strings corresponds to a string before or 
after the last replacement. (This is the walking argument on a random variable 
[13]). This shows that given a generated signature, its generation view and a 
random string of the same size and same public distribution, a non-quorum of 
signers will not be able to match the signature to the the generation view with 
more than a negligible probability. 

We divide the information into two sets, (a) the view of less than a threshold 
of signer servers, and (b) the signed message. The view of server Si consists of 

the public information n = [p* ]; {o’Oi have the 

value tag, and intermediary results in the generation; we will consider this later. 
We have private information fii, pi and X{. Since the private information 
are random shares of k, p, p and x\ and <r,- is just a combination of the random 
shares and public information, these (or less than t of these sets) cannot help 
us to correlate the view to the signed message. Therefore, we focus only on 




463 



the public information and the signed message, and prove that these cannot be 
correlated by a non-threshold of signature servers. 

Let us consider what meaningful information can be calculated from the pub- 
lic view and the signed message; The signed message is of the form (m, r, s), 
where r = ** and s is such that r ’ j/’'* ^ . Given the structure of the 

tag, we need to learn something about [p/p]^ in order to trace (which we will 
show to be hard). Without loss of generality, let us consider real transcripts 
parts of Vi , and the following order of substituting correct transcript parts with 
random transcript parts in the list of random transcript parts and a potential 
triple (m, r, s). The following are ideas regarding the implications of possible 
distinguishability at each substitution stage; 

1. Substitute in ; It is not possible to distinguish this step, since (m, r, s) is 
statistically uncorrelated to p (given that a is chosen uniformly at random, 
p = [ma],, r is not related to p, and s is uncorrelated from p by 6 , which 
is chosen uniformly at random.) 

2. Substitute in g^ , r — g^ ; It is not possible to distinguish this step either, 

since (m, r, s,p) is statistically uncorrelated to k. It cannot be correlated 
to m or p since these are not related, and not to r since b is chosen uni- 
formly at random and r = [[ 5 *^ *]p]?- It cannot be correlated to s, which 
is a linear combination of I;, x (both unknown) and p, r (both in the set of 
potential transcript parts), or; given the linear combination, and known 
fi,r,<T,p we would be able to decide the undeniable signature {g, ,r,r^), 



- (g 









The same argument holds for substituting in 



3. Substitute in g^: We see that p is unrelated to m, and g’^ . If we can 
correlate it to r or f , this gives us an algorithm for deciding the undeniable 
signature {g,g^ , r, r*) (assuming a is known); s is just a linear combination 
of the above, and the previous argument for linear combinations holds. It 
is not possible to produce a known function [p/p]q from g*^ and g^, or the 
Diffie-Hellman assumption breaks. 



4. Substitute in cr,- (or with the same argument; a) 
bination argument above. 



Follows the linear com- 



Next, based on the above ideas, since none of the substitutions can be distin- 
guished from a random string, it is not possible to match with related non- 
negligible probability one signed message to one out of two signing views (by 
the triangle inequality). Let us consider tag now; The tag generation protocol 
outlined is specified so that it hides the participants inputs (guaranteed by the 
properties of the protocol for multiplication of secrets and inverting a secret.) 
In fact the public tag is a random element mod q (for each tag and signature 




464 



invariant there is an element that matches it with the signature). It is therefore 
not possible to match a signed message to one out of two possible signing views. 

It is also true, then, that it is not possible to match a signed message to 
one out of n signing views. Otherwise we simply would get a contradiction by 
constructing n — 2 additional signing views, none of which matches the signed 
message, and then match this to one of the remaining two views. □ 

Theorem 3: A quorum of t servers will always succeed in unblinding a signature 
in either of the three directions given. 

Proof of Theorem 3: (Sketch) 

Given that [m/r]^ ~g is always true for a signature generation session 

in which a valid signature (m,r, s) is generated (this can be guaranteed using 
zero-knowledge proofs if a new blinding methods is suspected to exist), we have 
that the tag will always be retrievable given robust protocols for tag generation 
and tracing. The robustness of these follows from the robustness of methods for 
multiplication and inversion of secrets. □ 

An audit trail of legal signatures: 

In addition to correct checking and tracing of existing signatures, we have a 
built-in fraud detection mechanism. Since only signatures that were generated 
in the proper manner by the signature servers will have a tag, it will be possible 
to distinguish such signatures from signatures generated by an attacker who 
compromised the secret key of the signer but has no access to the tags. The 
signature servers can compare tag by tag to the signature (using the third tracing 
option,) and if no tag matches, then it is invalid. This feature may provide an 
“audit trail” for sensitive services. 




Efficient and Generalized Group Signatures 



Jan Camenisch 

Department of Computer Science 
ETH Zurich 

CH-8092 Zurich, Switzerland 
camenischQinf . ethz . ch 



Abstract. The concept of group signatures was introduced by Chaum 
et al. at Eurocrypt ’91. It allows a member of a group to sign mes- 
sages anonymously on behalf of the group. In case of a later dispute a 
designated group manager can revoke the anonymity and identify the 
originator of a signature. In this paper we propose a new efficient group 
signature scheme. Furthermore we present a model and the first real- 
ization of generalized group signatures. Such a scheme allows to define 
coalitions of group members that are able to sign on the group’s behalf. 



1 Introduction 

In [6] Chaum and van Heyst proposed a new type of signature scheme for a group 
of entities, called group signatures. Such a scheme allows a group-member to sign 
a message on the group’s behalf such that everybody can verify the signature but 
no one can find out which group member provided it. However, there is a trusted 
third party, called the group manager, who can in case of a later dispute reveal 
the identity of the originator of a signature. The group manager can either be a 
single entity or a number of coalitions of several entities (e.g. group members). 
This concept can be generalized to allow defined subsets of all group members 
to jointly sign a message on behalf of the group. 

An application of group signature schemes is a company needing a corporate 
identity. Members of the company can sign contracts with customers such that 
a customer does not know who actually signed the contract. If a problem with 
a particular contract occurs later, the company can find out which employee is 
to be held responsible. 

1.1 Related Work 

There exist several other group-oriented concepts for signature schemes. The 
most important ones are multi-signatures [3,9,15] and proxy signatures [14]. 
Multi-signatures can be seen as generalized group signature without the ability 
of “opening” signatures, while proxy signatures are group signatures that do not 
provide anonymity. 

Solutions for group signature schemes were first presented in [6] and later 
in [7]. We discuss these schemes briefly. In [6] four different schemes were pro- 
posed. Three of them require the group manager to contact each group member 



W. Fumy (Ed.): Advances in Cryptology - EUROCRYPT ’97, LNCS 1233, pp. 465-479, 1997. 
© Springer-Verlag Berlin Heidelberg 1997 




466 



in order to find out who signed a message. These scheme provide computa- 
tional anonymity, whereas the forth scheme provides information theoretical 
anonymity. For two of the schemes it is not possible to add a new member 
after the scheme is set up (including the scheme giving information theoretical 
anonymity). In none of the proposed schemes it is possible to distribute the 
functionality of the group manager efficiently. 

Later, Chen and Pedersen proposed two new schemes in [7] providing infor- 
mation theoretical anonymity and computational anonymity, respectively. These 
schemes allow to add new members after the setup of the system and to distribute 
the functionality of the group manager. They are based on proofs of knowledge 
of one out of several discrete logarithms, each being the secret key of a group 
member. The proofs they apply have the special property that when knowing 
all secret keys, one can tell which one was used in the proof. To realize the 
group manager’s ability to open signatures, two such proofs of knowledge must 
be used in parallel, where for one the manager is told the secret keys of all group 
members. However, this solution has the drawback that the group manager can 
falsely accuse a group member of having signed a message; she therefore com- 
putes one of the proofs of knowledge using the known secret key of the member 
she wants to accuse. This risk can be weakened, but not prevented, by sharing 
the functionality of the group manager. To solve this problem, some kind of 
disavowal protocol would be needed. 



1.2 Our Results 



In this paper we propose a group signature scheme where the manager cannot 
falsely accuse group members (even if she is also a group member) and which 
is also more efficient than all the previously proposed schemes. Furthermore, 
this scheme is extended to a generalized group signature scheme that is also 
presented. In both schemes, the functionality of the group manager can be shared 
such that the identity of a signer can still be revealed efficiently. Both schemes 
allow to add (or remove) group members after the initial setup. They provide 
computational anonymity which we believe is satisfactory because the security of 
the signature scheme itself is also computational (as is the case for all signature 
schemes). 

The paper is structured as follows. In the next section we formalize the con- 
cept of (generalized) group signatures schemes. The preliminaries are given in 
Section 3, and in Section 4 we formalize different protocols for proving knowledge 
about discrete logarithms. This formalization allows a compact and comprehen- 
sive description of the new group signature schemes in Section 5. An example 
of a generalized group signature scheme is also given. In Section 6 we present 
extensions to the scheme, such as distributing of the functionality of the group 
manager. 




467 



2 Defining Group Signature Schemes 

In this section we define the generalized concept of group signature schemes. 
Let V = {Pi, be a set of group members and M be a designated entity, 

called group manager. The set of all authorized coalitions of group members 
P C 2^ is called authority structure. The structure must be monotone, i.e., for 
two sets S and S' e 2^, if <S e P and S' D S, then also 5' € P. If P = 
{{Pi}, {P 2 }, ..., {P„}}, we call the group signature scheme simple (this is the 
only authority structure we do not require to be monotone). 

A (generalized) group signature scheme for V and M with respect to P 
consists of four procedures: 

setup: On input P this multi-party protocol between all members in V and M 
outputs the group public key y, to each group member Pi £V & secret key 
Xi, and an opening secret key u) to the group manager M. 
sign: On input a message m, the group public key T’, the structure P , the 
coalition S, and the corresponding secret keys Xi, this multi-party protocol 
between members in some <S £ P outputs a signature s on m. 
verify: On input a message m, the group public key y, the structure P, and a 
signature s, this algorithm outputs yes if and only if the signature is correct, 
open: On input a message m, the group public key 3^, the structure P, a signa- 
ture s and the opening secret key cj, the algorithm outputs S £ P (i.e., the 
set of group members that signed m) and a proof that S indeed signed m. 

In the procedures being multi-party protocols the private inputs of the different 
parties must of course remain secret during and after the execution. The require- 
ment that open also outputs a proof is often omitted but is essential if the trust 
to be put into the group manager is to be minimized. 

The group publishes its public key (V, the authority structure P, and some 
system parameters. A group signature scheme must satisfy the following prop- 
erties: 

1. Only authorized coalitions S of group members, i.e., S £ P, can sign. The 
correctness of a signature can be publicly verified using y and P. 

2. It is not possible to find out which coalition S £ P signed a message 
(anonymity) or whether two different signature are signed by the same coa- 
lition (unlinkability) . 

3. In case of dispute, the group manager can open a signature, i.e., find out 
which coalition signed a message, by running the algorithm open 

4. The group manager must only be involved in the procedures setup and open. 

These properties are demanded in all previous papers and further properties 
follow from them, for instance the property that a coalition must not be able 
so sign in the name of another coalition. However, the following natural prop- 
erties should also be satisfied by a group signature scheme. The property 5 was 
formulated as an open problem in [6] and achieved first in [7]. 




468 



5. To decrease the trust to put in the group manager, it should be possible to 
distribute her role among a set of entities such as the members of the group. 

6. The group manager is only trusted not to open signatures at will and is not 
trusted with regard to anything else. 

When considering the efficiency of a scheme, the following parameters are of 
particular interest; the amount of computation in the algorithms setup, sign, 
verify, and open, the size of the group public key, and the length of signatures. 
The possibility of adding (or removing) new group members after the initial 
setup falls also in this category, namely in the efficiency of the algorithms setup 
(i.e., whether it is possible to run it incremental or not). 



3 Preliminaries 

In this section a variation of the ElGamal encryption scheme is described. This 
variation is used as a building block for both group signature schemes we present. 
We give a formal definition of secret sharing schemes and describe an example. 
Secret sharing is used for constructing the generalized group signature scheme. 



3.1 ElGamal Encryption Variant 

The original encryption scheme was proposed by ElGamal [10]. In this paper we 
interchange the role of the base and the public key and get the following scheme 
with the same security properties. Let G be a finite cyclic group of prime order q 
and let p 6 G be a generator of G such that computing discrete logarithms to the 
base g is infeasible. In order to encrypt a message m for an entity with public key 
z = g^, one first chooses a randomly in Z, and then encrypts m by computing 
the pair {A,B) = {z°‘,g°‘m). The entity knowing the secret key x can decrypt 
the message m by calculating 



B 



9"rn 

gXOCX'^ 



= m . 



3.2 Secret Sharing 

A secret sharing scheme is a method for distributing a secret a among a set of n 
participants V = {Fi , ..., F„}. Each participant F< obtains a share of the secret 
<T such that every qualified subset S of V can reconstruct a by using algorithm 
Tr- The following must hold: 

V5gF: a = Tr{S,{Q\PieS}) . 

The union of all qualified subsets F C 2^ is called the access structure and is 
required to be monotone. A common special case is a threshold structure where 




469 



for a threshold k the access structure F is defined as {c5 C 2^ | [iSI > k}. Every 
access structure F has a natural dual access structure F* : 

SeF* SiF , 

where S denotes the complement of S in V. If F is monotone, then F* is also 
monotone and we have (F*)* = T. If F is a threshold structure, then so is F*. A 
secret sharing scheme is called perfect if the participants forming a non-qualified 
subset of V are not able to obtain any information on a. A secret sharing scheme 
is ideal if it is perfect and the secret and the shares are of the same length. 

To construct the shares for a given secret <t, we employ a nonstandard al- 
gorithm that, given the shares of a non-qualified set, outputs the shares for the 
remaining participants. Formally, the algorithm ^ which takes as inputs the ac- 
cess structure F, a non-qualified set of participants Af ^ F, the set {<ii\Pi € Af] 
of their shares, and the secret a and outputs the set £ 7^}, i-c., 

^^(r,AA,{<Ti|Pi 6 A/-},a) = G M] . 

The algorithm relies on the fact that given the secret and the shares of a non- 
qualified set participants A'", it is possible to construct a complete set of shares. 

As an example of a threshold secret sharing scheme with n participants and 
threshold k, we present Shamir’s scheme [18]. A secret a (an element of a fi- 
nite field GF{q), with q > n) is shared by randomly choosing the coefficients 
ai,...,afc-i € GF{q) of the polynomial 

f{X) = ak~iX''~^ + ... + aiX + a (mod g) . 

The share for participant Pi is then calculated as q = /(p;) > where pi is a publicly 
known element of GF{q) associated with participant Pi, e.g. p,; = i. Given k or 
more shares the function / and thus cr can be found by Lagrange interpolation 
on the points (pi,Ci). This scheme is ideal. 

4 Proving Knowledge of Discrete Logarithms 

In this section we define and formalize the building blocks for our scheme. They 
are based on different interactive proofs of knowledge of discrete logarithms that 
are made non-interactive using the techniques of [17]. To avoid confusion with 
the terminology of non-interactive proofs of knowledge, we call these building 
blocks signatures of knowledge. 

The algebraic setting is as follows. Let G be a finite cyclic group of prime 
order q and let p,gi, ...,g„ G G be generators of G such that computing discrete 
logarithms to any of the bases is infeasible. A public key yi is constructed by 
computing yi — p’’' with the secret keyxi chosen at random from Z,. The symbol 
II denotes the concatenation of two binary strings (or of the binary representation 
of group elements and integers). Finally, let K : {0,1}* -t {0,1}^ {f ss 128) 
denote a one-way hash function. 

The first building block we define is a signature of knowledge of the discrete 
logarithm of a public key y to the base g. 




470 



Definition 1 . A pair (c, s) satisfying 

c = 'H{g\\y\\g"y''\\m) 

is a signature of knowledge of the discrete logarithm of a group element y to the 
base g for the message m and is denoted by SKDL{g,y,m). 

Basically, such a signature of knowledge is a Schnorr signature (see [17]) with a 
slightly different argument to the hash function. A SKDL can be computed only 
if the secret key x is known, by choosing r at random from Z, and computing c 
and s according to 



c = '^{9\\y\\f\\m) 

and 



s = r — cx (mod q) . 

The values 5’’, c, and s are often called commitment, challenge, and response, 
respectively, although the “proof” is non-interactive. If the context is clear then 
the hashing of bases and public keys could be omitted. 

Another building block we use is a signature of knowledge of the discrete 
logarithm of one out of several public keys yi without revealing which one. Such 
proof-systems were first introduced in [8]. 

Definition 2. A 2n-tuple (ci,...,c„,si,...,s„) satisfying 

n 

■W(5ll2/ill-ll2/n||p*‘j/?'|l-IIS'’’’l/n"l|w) (mod q) 

t=l 

is a signature of knowledge of the discrete logarithm of one group element 
out of the list {j/i, ..., ?/n} to the base g for the message m and is denoted by 
5KDL["](g,yi,...,i^„,m). 

A SKDL\^{g,yi,...,yn,m) can only be given if at least one of the secret keys 
is known. We now show how to compute such a signature. Assume that the 
known secret key is x\. The prover chooses r, S2..., s„, C2, ..., c„ randomly in Z, 
and computes t\ = g” and ti = g^'Vi' for i = 2, Then he computes ci and 
si according to 



= ^(ffli2/ill-lll/n|ltill-ll*n||m) ~Y^Ci (mod q) 

i=2 



and 



Si=r — XiCi (mod 5). 

The prover has thereby computed SKDL\^]{g,yi,...,yn,m) = (ci,...,c„,si,...,s„). 




471 



The idea behind this is the faet that a SKDL can be forged if the challenge c 
is known before the computation of the commitment t. The verification condition 
of 5 jKPL["] is a linear equation over the Cf’s and therefore all but one Ci can be 
chosen before computing the commitments. It follows that at least for one Ui the 
discrete logarithm must be known and one of the partial SKDUs must be true. 

In [8] such proof systems were generalized to proof systems for proving the 
knowledge of all discrete logarithms of one out of several defined subsets of the 
set of public keys 3^ = {yi,--,yn} without revealing any further information. 
Formally, let F denote a monotone set of subsets of y, i.e., F C 2^. By combining 
n signatures of knowledge SKDL{g,yi) and a secret sharing system with access 
structure F*, it is possible to construct a system for proving the knowledge of 
the discrete logarithms of all j/i € <S for some S £ F, without saying which subset 
5 . 

Definition 3. A 2n-tuple (ci,...,c„,si,...,s„) satisfying 
V5' € F* : H(pl|yi||...l|j/„||5^'yril-ll5^"J/:;”ll’^) = \ Vi e 5'}) 

is a signature of knowledge of the discrete logarithm of all yi £ S {i/i, ...,2/n} to 
the base g for some 5 € F for the message m. Such a signature is denoted by 
SKDL[F]{g,yx,:-,yn,m). 

This signature system is similar to the one in Definition 2; here the secret sharing 
scheme implies conditions on the (partial) challenges c< by interpreting them 
also as shares, whereas in Definition 2 we have only one condition (i.e., a linear 
equation) on the challenges. If the challenges and the shares do not have the same 
domain, a mapping must be introduced (for further technical details see [8]). Let 
us show how such a signature of knowledge (ci, ...,c„, si, ..., s„) can be computed. 
Assume that xi, ...,Xj are the known secret keys and that S = {Fi, £ F. 

The prover chooses ri, ...,rj,Sj+i...,Sn,Cj+\, ...,c„ randomly in Z, and computes 

{oi,...,Cj} — *F(F , ■(Fj^_i , ..., Fn }, {cj^.! , ..., Cn}) O') , and 
Sk=Tk-CkXk (mod g) for fc = 1, ...,j . 

For the definition of the function see Section 3.2. 

Another primitive often used in cryptography (e.g. [5]) is a signature that 
the logarithms of two group elements with respect to two different bases are the 
same. Such a signature also implies the knowledge of these logarithms. 

Definition 4. A pair (c, s) satisfying 

c = n{h\\g\\z\\y\\h’z’'\\g^y’^\\m) 

is signature of equality of the discrete logarithm of the group element z with 
respect to the base h and the discrete logarithm of the group element y with 
respect to the base g for the message m. It is denoted by SEQDL{h,g,z,y,m). 




472 



This signature of equality can be seen as two parallel signatures of knowledge 
SKDL{h,z,m) and SKDL{g,y,m) where the exponent for the commitment, the 
challenges, and the responses are the same. By using several SKEQ in parallel 
and implying conditions on their commitments (similar as in the Definitions 2 
and 3), one obtains the signature systems SEQDL]^{h,g^zi,yi,...,Zn,yn-,Tn) 
and 5£^QDL[r](/i,g,2:i,2/i,...,2ri,l/n,«7), respectively. 

Our last building block are signatures of knowledge of a representation. The 
respective proof systems were first introduced in [4], Let y — n"=i sT some 

Definition 5. A (n+l)-tuple (c, si, ..., Sn) satisfying 

n 

i=l 

is a signature of knowledge of a representation of a group element y with respect 
to the bases ^i, for the message m. It is denoted by SKREP{gi, ...,gn,y,m). 

We now show how this signature of knowledge of a representation can be calcu- 
lated from jci, The prover chooses ri,...,r„ at random from computes 



C = 'W(3i!l...|lgnllyllfilm) (mod q), 



and 



Si = Vi — XiC (mod g) fori = l,...,n 

and thus obtains an SKREP{gi, ...,gn,y,m) = (c, si, s„). If the bases gi are 
chosen in a random or pseudo-random manner, computation of another than the 
known representation is believed to be as hard as the discrete logarithm problem 
and is called the representation problem. For further discussion see [4]. 

5 Construction of a Group Signature Scheme 

In this section an efficient simple group signature scheme and a generalized 
group signature scheme are proposed. They are based on the signature systems 
SEQDL[’^] and SEQDL[P], respectively. These underlying systems already fulfill 
the properties of a group signature scheme except those related to the group 
manager’s capability of “opening” a signature. 

In the following we present efficient solutions to achieve the missing properties 
by using a variation of the ElGamal encryption scheme (see Section 3) and the 
techniques discussed in the previous section. The solutions further allow a simple 
way of distributing the functionality of the group manager, as will be shown in 
Section 6. 




473 



5.1 An Efficient Simple Group Signature Scheme 

The algebraic setting is the same as in Section 4. In addition, let z = denote 
the public key of the group manager and u> her secret key. Each group member 
Pi chooses his secret key Xi randomly in Z, and computes the public key j/, = 
g^' . The group’s public key consists the list of all members’ public keys y = 
(yi: 2/n) and is published together with the manager’s public key and the 

system parameters. 

The idea behind the scheme is that in order to sign a message, a group 
member encrypts one of the public keys of 3^ = {yi,---,Vn} with the public key 
of the group manager and proves that 

— he encrypted one of the yi’s and that 

— he actually knows the discrete logarithm of the encrypted key. 

From this follows, that the group member must have encrypted his public key. 
More formally, to generate a signature of a message m, the group member Pj 
executes the following steps: 

1. choose a randomly in Z, 

2. encrypt r/j by computing A = z“ and B = yjg'^ 

3. calculate (ci, ...,c„,si, ..., s„) = SEQDL[i\{z,g,A,f^,..., A, -^, 711 ) 

4. calculate (c, s) = SKDL{g,B,m) 

The computed group signature is the tuple (A, B,ci, ..., c„, si, ..., s„, c, s) and 
can be verified by checking the correctness of SEQDL[^]{z, g, A, ..., A,^,m) 
and SKDL{g, B, m). 

The first signature assures that (A,B) is the encryption of an element of 
the list 3^ and the second signature guarantees that the signer actually knows 
the discrete logarithm of the public key encrypted in (A,B). The signer thus 
proves indirectly his knowledge of the discrete logarithm of an element of 3^ and 
therefore that he is a member of the group V. It can easily be seen that only 
group members can sign messages. 

To open a valid signature the group manager decrypts (.4, B) and immedi- 
ately obtains the public key of the signer. Assume that the group member Pj 
has signed. By computing the signature of equality 

SEQDL{g, z, B/{yj), A, Pj) 

the group manager can assure that she opened the signature correctly and that 
indeed Pj has issued this signature. 

5.2 A generalized Group Signature Scheme 

The system parameters are the same as for the simple group signature scheme. In 
addition to all public keys and to the system parameters, an authority structure 
r must be published. 




474 



The idea of the generalized scheme is similar to the one of the simple scheme. 
To sign a message m all members of an authorized coalition prove that each of 
them encrypted an element of T = {z/ij •■•2/n} and that they know the discrete 
logarithms of the encrypted values. Furthermore, they must also prove that the 
encrypted elements are all different. The problem with this approach is that the 
number of encryptions equals the size of the coalition, which should be kept 
secret. Therefore, the coalition must also encrypt some dummy values in order 
to provide n encryptions. 

More formally, to generate a signature of a message m, the group members 
forming an authorized set S £ F execute together the following steps; 

1. - choose oi, ...,a„, and for all i with yi ^ S randomly in Z, 

- for all yj G S encrypt yj : Aj — , Bj = yjg^^ 

— for all S encrypt g^': Ai = Bi = g^'g'^' 

2. calculate (ci, ...,c„,si, = SEQDL[r]{z,g,Ai,^,...,A„,^,m) 

3. calculate fe,Si) = 5ii'DZy(g,5i,m||ci||...||c„||si||...||s„) for f = l,...,n 

Member Pj must calculate the signature SKDL{g,Bj,m) and also parts of the 
signature in Step 2 alone in order to hide his secret key from the other members. 
All other computations should be performed by all group members on their own 
in order to assure themselves of the correctness of the outcome. The random 
choices in these common computations must be agreed upon by the group mem- 
bers in advance, for instance by choosing a random string each, committing to 
the string by hashing it, exchanging these commitments, then exchanging the 
random strings, and finally taking the XOR of all these random strings. The 
resulting group signature is the tuple (Ai, Bi, ..., A„, B„,ci, ...,c„,si, ..., s„, c, s) 
and can be verified by checking the correctness of the signatures of knowledge 
SEQDL[r]{z,g,A\,^,...,An,^,m) and SKDL{g,Bi,m) for alii 

The first signature assures that the list ((Ai, Bi), ..., (A„,B„)) contains the 
encryptions of some yj € y such that the corresponding Pj’s form an authorized 
coalition. The signatures generated in Step 3 assure that the authorized coalition 
was really involved, i.e., that the discrete logarithms of the encrypted j/^’s axe 
known. Here, the signature of Step 2 is appended to the message in order to 
bind the two steps together. This prevents the reuse of a SKDL in another run 
of the scheme. 

Again, it is easy to see that the group manager can find out whicli coalition 
provided the signature by checking the validity of the signature and decrypting 
all pairs (Aj,Bj). Note that a coalition cannot encrypt a public key of a member 
Pi ^ S not participating in the signing because then they could not provide the 
corresponding signature in Step 3 and therefore the group signature would not 
be valid. By computing the signatures of equality 

SEQDL{g,z,B/iyj),A,Pj) 

for all Pj having participated in the signing, the group manager can assure that 
she opened the signature correctly. 




475 



Remark. The signature can be made shorter if all c, are the same, i.e., all sig- 
natures SKDL{g, Bi, m) are merged and are verified simultaneously by checking 
the equation 



Of course, the signatures must then be computed in parallel and c calculated 
accordingly. This choice also binds Steps 2 and 3 together, i.e., the concatenation 
of the first signature to the message is not needed in this case. This is applied 
in the following example. 



5.3 An Example for a Threshold Group Signature Scheme 

In this section we give an example for a generalized group signature scheme 
with a threshold authority structure. Let k be the minimum number of members 
that must cooperate in order to sign and let f{x) = ^i—ij otix'' denote the 

polynomial of a secret sharing scheme with threshold k as described in Section 

3.2. To generate a signature of a message m, the group members forming an 
authorized set >S, i.e., |iS| > k, execute the steps below. In Step 2 it is indicated 
when the calculations must be performed by a specific member of the coalition, 
whereas in Step 3, all calculations for a specific j must be performed by member 
Pj for Pj € S. All other computations should by done by the coalition members 
on their own using the agreed-on random string, 

1. — choose Oi, ...,an, and bi for all i with Hi ^ S randomly in Z, 

- for all yj € <S, member Pj encrypts yj: Aj = , Bj = 

- for all 2 /i ^ 5 encrypt g^' : A{ = z “' , Bi = g^' 

2. compute SEQDL[P]{z,g,Ai,^,...,An,^) = (oq) w) ; 

- for all yj £ S, member Pj chooses Xj randomly in Z, and calculates 
tzj = 2’’^ and tgj = g^i 

- for all yi ^ S choose Vi and Cj randomly in Z, and compute tz,i = z’^'A^' 
and tg^i 

- choose ao,...,ak-i such that f{i) — Ci (mod q) for all i\yi ^ S and 
/(O) = c (mod q) 

- for all yj € S, member Pj computes Sj = Xj - f{j)aj (mod q) 

- for all yi^S set Si = Xi 

3. calculate the combined signatures SKDL{g,Bi,m) = (c, si, ..., s„): 

- for 2 = 1, ...,n choose fi randomly in Z, 

- for 2 = 1, ...,n compute U = g''' 

- c = H(pl|Ri||...|lR„||fi||...|ltnl|m) 




476 



— for i = 1, ...,n compute Si 



f fi - c{xi + Oi) (mod q) yi E S 
( - c{bi + ai) (mod q) liyi^S 



The group signature of m is the tuple (ao, --MQ/t-ii -^ij ■••i s„, c, si, s„). Note 
that instead of all Cj’s, the values ao, ajt-i are included in the signature. This 
makes the signature shorter but not less secure because c and all Cj’s are uniquely 
determined by ao, 

The group signature can be verified by checking the following equations: 




and 



where 



f(x)=ao+a^x+...+ak-ix'‘ ^ (mod 9). 



5.4 Security and Efficiency Considerations 

Let us shortly discuss the security properties of the generalized group signature 
scheme (which hold also for the simple scheme). 

Non-members cannot sign: If a non-member would be able to forge a group sig- 
nature, he would also be able to forge Schnorr signature. 

Signatures are unlinkable and anonymous: Unlinkability follows from the prop- 
erties of SEQDL[F] and from the fact that the yi's are randomly encrypted, 
which also guarantees anonymity. 

Authorized coalitions cannot sign on behalf of another coalition: Clearly, a coa- 
lition cannot sign on behalf of a coalition that includes members that are 
not included in itself. If a coalition contains an true authorized subset, some 
members try to make it appear as if they were not involved in the signing. 
This attack is prevented by the mutually agreed random string. 

The group manager cannot falsely accuse members: This is assured by the proof 
the group manager must provide as evidence in the procedure open. 

With regard to efficiency, all algorithms except open have efficiency linear in 
the number of group members. The size of the group’s public key and the length 
of signatures axe also linear in the number of group members. The algorithm 
open is independent of the group’s size (however, finding the identity of a signer 
given his key requires a look up in a database). 

Comparing the second scheme of [7] and our simple group signature scheme, 
it turns out, that our scheme is approximately four times more efficient in terms 
of computations of the signer and signatures are about the same ratio shorter. 
Furthermore, in [7] the algorithm open has an efficiency that is linear in the 
group’s size. 




477 



6 Extensions 

In this section we show how the functionality of the group manager can be shared 
among several parties (e.g. among the group members) and present a method 
for reducing the size of the group’s public key. 

6.1 Sharing the Functionality of the Group Manager 

To obtain higher security against fraudulent opening of signatures, the capability 
of the group manager can be shared among several managers according to an 
access structure such that only predefined subsets of the managers are able to 
cooperatively open a signature. 

To achieve this, the group manager’s secret key w must be shared among 
the managers and exponentiation with must be possible in a distributed 
manner without leaking information about the shares. 

For an access structure with threshold t and k managers, a realization is 
based on Shamir’s secret sharing scheme [18] and Feldman’s verifiable secret 
sharing scheme [11]- A solution to powering with is described in [12] for the 
case t < k/l if all managers are honest and for the case t < k/3 if up to t of the 
managers may be actively cheating. 

More general access structures are possible if exponentiation with is 
avoided, i.e., if signatures are opened as follows. Compute /A and then com- 
pare the result with the list {j/“, ..., j/"}. This list can be (pre-)computed (without 
revealing u?) during the setup of the system* . Then, for instance the monotone 
circuit construction of Benaloh and Leichter [1] can be applied over GF{q) and 
powering B with u> can be achieved by multiplying all , where ojj denotes 
the share of a manager in a qualified set. 

6.2 Reducing the Size of the Group’s Public Key 

The size of the group’s public key can be reduced using a technique proposed by 
Blom for public key distribution [2]. Let be a publicly known generator matrix 
of an (n, k) MDS code over The group’s public key now becomes {yi, ..., yk}- 
The public key of member Pj is then computed as 

Vi = 

1=1 

where 4>ij denotes the element of in row i and column j. These public keys 
are then used in Step 2 of the signature generating procedure. The secret keys 

* The computation of such a list can be avoided if normal ElGamal encryption is used 
in our group signature scheme. Then the signature systems in Step 2 and 3 must be 
adjusted: in Step 2 the Ti’s instead of the Bi's must be divided by the respective 
3 /i’s. and in Step 3 the signatures SKDLf^, Bi,m) must be replaced by signatures 
SKREP(^, 2 , Si, »n). This change would make the signatures somewhat longer, but 
the public key of the signer could be computed directly as Ai / Bi . 




478 



of the individual group members are computed similarly. This method has the 
disadvantages that a trusted third party is needed to compute the group’s public 
and secret keys, and that if more than k group members collude, they can find 
out all secret keys and therefore sign on behalf of any authorized set. Hence there 
exists a trade-off between the size of the group’s public key and the security. 

7 Open Problems 

In all previously proposed schemes, as well as in our scheme, the size of the 
group’s public key is linear in the number of group members. It is an open 
problem to construct a group signature scheme where the size of the public key 
and the amount of computation for signing and verifying does not depend on 
the size of the group (the only proposed schemes [13,16] with fixed size public 
keys were broken) . 

Acknowledgments 

It is has been a pleasure to discuss group signatures and the results of this paper 
with Christian Cachin, Ronald Cramer, Ueli Maurer, and Markus Stadler. These 
discussions greatly improved the paper. The comments of the anonymous referees 
were also welcomed. 

The author is supported by the Swiss Commission for Technology and Inno- 
vation (KTI) and by the Union Bank of Switzerland. 

References 

1. J. Benaloh and J. Leichter. Generalized secret sharing and monotone functions. 
In S. Goldwasser, editor, Advances in Cryptology — CRYPTO ’88, volume 403 of 
Lecture Notes in Computer Science, pages 27-35. Springer- Verlag, 1990. 

2. R. Blom. An optimal class of symmetric key generation systems. Proc. EURO- 
CRYPT’84, Lecture Notes in Comp. Sc., vol. 209, New York, NY: Springer Verlag, 
pages 335-338, 1985. 

3. G. Boyd. Digital multisignatures. In H. J. Beker and F. Piper, editors. Cryptography 
and Coding, pages 241-246. The Institute of Mathematics and its Applications 
Conference Series, Oxford Science Publications, 1989. 

4. S. Brands. An efficient off-line electronic cash system based on the representation 
problem. Technical Report CS-R9323, CWI, Apr. 1993. 

5. D. Chaum and T. Pedersen. Wallet databases with observers. In E. F. Brickell, 
editor, Advances in Cryptology — CRYPTO '92, volume 740 of Lecture Notes in 
Computer Science, pages 89-105. Springer- Verlag, 1993. 

6. D. Chaum and E. van Heyst. Group signatures. In D. W. Davies, editor, Advances 
in Cryptology — EUROCRYPT ’91, volume 547 of Lecture Notes in Computer 
Science, pages 257-265. Springer- Verlag, 1991. 

7. L. Chen and T. P. Pedersen. New group signature schemes. In A. D. Santis, 
editor, Advances in Cryptology — EUROCRYPT ’94, volume 950 of Lecture Notes 
in Computer Science, pages 171-181. Springer- Verlag, 1995. 




479 



8. R. Cramer, I. DamgMd, and B. Schoenmakers. Proofs of partial knowledge and 
simplified design of witness hiding protocols. In Y. G. Desmedt, editor, Advances 
in Cryptology - CRYPTO '94, volume 839 of Lecture Notes in Computer Science, 
pages 174-187. Springer Verlag, 1994. 

9. R. Croft and S. Harris. Public key cryptography and re-usable shared secrets. In 
H. J. Beker and F. Piper, editors. Cryptography and Coding, pages 189-201. The 
Institute of Mathematics and its Applications Conference Series, Oxford Science 
Publications, 1989. 

10. T. ElGamal. A public key cryptosystem and a signature scheme based on discrete 
logarithms. In G. R. Blakley and D. Chaum, editors, Advances in Cryptology - 
CRYPTO ’84, volume 196 of Lecture Notes in Computer Science, pages 10-18. 
Springer Verlag, 1985. 

11. P. Feldman. A practical scheme for non-interactive verifiable secret sharing. In 
Proc. 28th IEEE Symp. Found. Comp. Sc., pages 427-437, 1987. 

12. R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin. Robust threshold DSS signa- 
tures. In U. Maurer, editor. Advances in Cryptology — EUROCRYPT ’96, volume 
1070 of Lecture Notes in Computer Science, pages 354-371. Springer Verlag, 1996. 

13. S. J. Kim, S. J. Park, and D. H. Won. Convertible group signatures. In K. Kim 
and T. Matsumoto, editors. Advances in Cryptology — ASIACRYPT ’96, volume 
1163 of Lecture Notes in Computer Science, pages 311-321. Springer Verlag, 1996. 

14. M. Mambo, K. Usuda, and E. Okamoto. Proxy signatures for delegating signing 
operation. In 3rd ACM Conference on Computer and Communicatons Security, 
pages 48-57, New Delhi, Mar. 1996. acm press. 

15. K. Ohta and T. Okamoto. A digital multisignature scheme based on the Fiat- 
Shamir scheme. In H. Imai, R. L. Rivest, and T. Matsumoto, editors. Advances in 
Cryptology — ASIACRYPT ’91, volume 739 of Lecture Notes in Computer Science, 
pages 139-148. Springer- Verlag, 1993. 

16. S. J. Park, I. S. Lee, and D. H. Won. A practical group signature. In Proceedings of 
the 1995 Japan-Korea Workshop on Information Security and Cryptography, pages 
127-133, Jan. 1995. 

17. C. P. Schnorr. Efficient signature generation for smart cards. Journal of Cryptology, 
4(3):239-252, 1991. 

18. A. Shamir. How to share a secret. Commun. ACM, 22(11):612-613, Nov. 1979. 




Collision-Free Accumulators and 
Fail- Stop Signature Schemes Without Trees* 



Niko Baric* and Birgit Pfitzmann^ 

' dvg Hannover, Postfach 91 02 40, D-30422 Hannover, Germany 
^ Universitat Dortmund, Irvformatik 6, D-44221 Dortmund, Germany; 
email pfitzb@ls6.informatik.uni-dortmund.de 



Abstract. One-way accumulators, introduced by Benaloh and de Mare, 
can be used to accumulate a large number of values into a single one, 
which can then be used to authenticate every input value without the 
need to transmit the others. However, the one-way property does is not 
sufficient for all applications. 

In this paper, we generalize the definition of accumulators and define 
and construct a collision-free subtype. As an application, we construct 
a fail-stop signature scheme in which many one-time public keys are 
accumulated into one short public key. In contrast to previous construc- 
tions with tree authentication, the length of both this public key and the 
signatures can be independent of the number of messages that can be 
signed. 



1 Introduction 

The security of digital signature schemes depends on so-called computational 
assumptions, e.g., the factoring assumption. If somebody can break the assump- 
tion on which the system is based, and if he can therefore get the private key 
of the signer, he can construct signatures on messages chosen by himself. The 
signer cannot prove that she did not sign those messages herself. 

This disadvantage was overcome with the introduction of “fail-stop” signa- 
ture schemes, e.g., [WaPf90, PfWa90, HePe93, PePf97]. With these schemes, the 
signer can produce a so-called proof of forgery to demonstrate that she did not 
sign a message. This proof shows that the computational assumption has been 
broken (fail) and that the system should therefore not be used any longer (stop). 

Most of the currently known basic constructions of fail-stop signature schemes 
(FSS schemes) can only be used to sign one single message. FSS schemes for 
more than one message have been constructed based on these one-time FSS 
schemes by using tree authentication to authenticate the public one-time keys. 
Consequently, the length of signatures in such a scheme grows logarithmically in 
the number of messages that can be signed. The question whether this can be 

* Work done while both authors were at the University of Hildesheim. Supported by 
the DFG (German Research Foundation). A preliminary version was available as 
[Pfit94], more details can be found in [Bari96j. 



W. Fumy (Ed.); Advances m Cryptology - EUROCRYPT ’97, LNCS 1233, pp. 480-494, 1997. 
© Springer-Verlag Berlin Heidelberg 1997 




481 



avoided was also the main gap between known lower and upper bounds on the 
complexity of fail-stop signature schemes [HePP93] ■ 

The accumulators presented in [BeMa94] seem to be a solution to this prob- 
lem: a large number of values is accumulated into one value z. Later on, for 
authentication of one of those values, y, an additional value is computed that 
will authenticate y with respect to z. The length of 2 : and the additional value 
can be independent of the number of values to be accumulated. If we use this 
for FSS schemes and accumulate all the public one-time keys, the length of the 
resulting public key and the signatures can be independent of the number of 
messages. 

The accumulators defined in [BeMa94] have only a one-way property, i.e., 
given an output, it is hard to find a suitable input. Unfortunately, this is not 
enough for an FSS scheme, because the adversary may be able to choose the one- 
time public keys (i.e., the values to be accumulated), and thus to some extent 
the accumulated output, himself. Therefore we define and construct collision-free 
accumulators. We take the opportunity to generalize the accumulators defined in 
[BeMa94] to contain only those properties that are needed for our purpose and 
also to include newer accumulators from [Nybe96a, Nybe96b]. The new collision- 
free accumulators are then included into a modular FSS scheme. Thus now we 
really have a scheme, where the length of both the public key and the signatures 
is independent of the number of messages. 

The goal of constructing schemes without trees is similar to recent efforts 
with non-fail-stop provably secure signatures to shorten the signatures by flat 
trees [DwNa94, CrDa96], but the measures developed there cannot be used for 
FSS schemes. 

1.1 Organization of this Paper 

In Section 2, we present our definitions and constructions of accumulators. In 
Section 3, we describe conversion algorithms as an interface between the one-time 
FSS scheme and the accumulator which is used to authenticate the individual 
public one-time keys. The general construction of our accumulator FSS scheme 
is given in Section 4. Two example accumulator FSS schemes follow in Section 5. 

2 Accumulators 

Accumulators were introduced in [BeMa94] as a new way of “summarizing” a 
large number N of values in one value. The accumulators as defined in [BeMa94] 
have some properties we do not need for our purposes, so we generalize their 
definition a little. Then we define some subtypes of accumulators with different 
levels of security. Nevertheless, the accumulators as given in [BeMa94] are an 
important subtype that we call elementary accumulators (see Section 2.2). 

2.1 General Accumulators 

Definition!. A family a of accumulators has the following components: 




482 



- Sets accu-keys(k, N)^ which contain all possible keys for the security para- 
meter k and the number JV of values to be accumulated, and a probabilistic 
polynomial-time algorithm accu^gen(k, N) that chooses an accumulator key 
n from accu-keys{k,N). If the choice is uniformly random, we often simply 
write 

In our examples, accu-keys{k, N) is independent of N. 

- Sets Yn containing the suitable inputs for an accumulator key n. 

- A probabilistic polynomial-time algorithm accu.eval which, on input an ac- 
cumulator key n and N values yi,...,yn € Yn, outputs a value 2 ; and an 
auxiliary value aux, which will he used by the other algorithms. 

We write o,n{y) , ■ ■ ■ ,yN) instead of accu.eval{n, yi, . . . ,y]w). 

Every execution of accu-eval with the same input {n,y\,. . . , y^) must yield 
the same output z. 

- A probabilistic polynomial- time algorithm auth that, on input n, yi, and aux, 
computes a value accu, from a set Accun, which is needed to authenticate 
Vi- 

We write authn{y%, aux) instead of auth{n,yi, aux). 

- A polynomial- time algorithm authentic which, on input {n, z,yi, accui), 
checks whether i/j € Yn together with accui 6 Accw„ is authenticated by z. 
If so, the output is ok, otherwise not.ok. 

We write autkenticn{z,yi, accui) instead of authentic[n, z, yi, accu,). 

Additionally, there must be two polynomial- time algorithms: one that, on input 
n and y, checks whether y £ and one that, on input n and accu, checks 
whether accu £ Accu„. Finally, we require that every yi in the input of a„ can 
be authenticated by the output of a„, formally: 

Vfc VA” Vn € accu.keys{k, A) V(i/i, . ■ ■ ,Vn) € Y^'- 
If (z,aux) <-a„(j/i,..., 2 /Ar) 
then Vz e A}: 

authenticn{z,y,, authniyi, aux)) = ok. 



In [BeMa94], a one-way property is defined for accumulators. Generalized to 
our definition, it means that it is hard for an adversary who is given values 
( 3 /I; • ■ • their accumulation result z, and another value y' to find a value 

accu' that authenticates y' with respect to z. 

That article also informally considers a slightly stronger property that we call 
strongly one-way. It means that given only {yi, ... ,yf^) and z, it is hard to find 
a pair {y', accu') such that authenticn{z,y' , accu') = ok with y' ^ {j/i, . . . ,yN}- 
I.e., now the attacker can choose the value y' himself. The importance of a strong 
one-way property was also recognized in [Nybe96a] . 

For our accumulator FSS scheme, we need an even stronger property, because 
the adversary might be able to choose all the public one-time keys that are to 
be accumulated, i.e., not even the values y\, ... ,yN are now given. 




483 



Definition 2. A family a of accumulators is N -times collision-free for > 1 if it 
is hard to find yi, - ■ . ,vn, another value y' and accu' such that y' is authenticate 
by accu' and an{yi ,yN): for all probabilistic polynomial-time adversaries A, 
all c > 0, and all sufficiently large k: 

F ^authentic n{z,y' , accu') — ofc A i/' ^ (yi, . . . , 3/iv} 

Ay'.yi, . . . ,?/w e Vn A accu' e Acc?r„ :: 
n <— accu^gen{k,N)] 

[accu',y',yi,...,yN) <- A{k,N,n)\ 

{z,aux) ^ an{yi, - . . ,vn)^ < 



Definition 3. A family a of accumulators is collision-free if a is 7V-times collision- 
free for all > 1. 

2.2 Elementary Accumulators 

In [BeMa94], accumulators were defined as functions /i„; A„ x — + A„, where 

n is again an accumulator key. With repeated use as in 

z = hn(^- ■ ■ h„ {hn{x, yi),y 2 ), -yN^, 

where the result of one application of /i„ is inserted as the first argument in the 
next application of h„, all yi, . . . ,yN G Yn are accumulated to a value z € 
given an initial value x € Start„ C 

With such a function h„, we can create an accumulator U(„ ,j) according to 
the general definition, where the initial value x is part of the key of a, as follows; 

(z, aux) - 1 Vn) 

with z as above and aux = {x,yi, . . . ,yi\i). We use {x, yi , . . . , yjv) as the auxiliary 
output, so that we can use it for the computation of the values acew,. 

In [BeMa94], such a function h„ has to be quasi- commutative, i.e., 

hn{hn{x,yi), y 2 ) = (h„(x, 7 / 2 ), yi) for all x € A„ and Vi,y 2 € 

We do not need this property for our accumulator FSS scheme, but if one has 
a function with this property, one can easily construct algorithms to create and 
verify the values accui [BeMa94]: 

authn{yi, [x,yi, . ■ .,yN)) = K -hn^hni- - ./i„(x,yi), . . . yi_i) , yi+i^ , . . .yiv^ 
and 

authenticn{z,yi, accUi) = oA: iff z = yi). 

In this case, the list of all values accUi can be computed with 0{N • log 2 N) 
applications of with a tree-like evaluation. This can be done offline after z 
has been published. 




484 



2.3 Examples 

In the following two subsections, we give two examples of accumulators. Both 
are based on the elementary accumulator given in [BeMa94], but with some 
modifications to fulfill the collision-freeness needed for the accumulator FSS 
scheme. 

Another elementary and strongly one-way accumulator is described in 
[Nybe96a, Nybe96b]. In short, it uses a hash function h that generates a long 
random output Oi of fixed length r ■ d for every input yi, where r and d are 
two security parameters. Then Oi is transformed into a bitstring bi of length r 
that has far more I’s than O’s. To accumulate the values (j/i, . . . the cor- 

responding strings h,; are multiplied modulo 2 coordinatewise. In the result, a 
bit can be zero only if at least one hi has a zero bit at the same place. The 
main advantage of this accumulator is the absence of any trapdoor information, 
whereas in the following accumulators baaed on the RSA assumption, someone 
knows the factors of the RSA modulus. A disadvantage is its long output, too 
long for the public key of an FSS scheme. 



RSA Accumulator Without Random Oracle. The first example is almost 
the same accumulator as presented in [BeMa94], based on the elementary accu- 
mulator function hn{x, y) = mod n. 

Definition 4. The following family is called RSA accumulator without 
random oracle: 

- accu.keys^^^{k, N) {(n,x) | n 6 RSA.Mod{k) A x € 

~ := {?/ I 1 / < ^ A i/ prime] 

~ • • • i2/iv) — mod n 

- ('(/,, (x,jfi,...,yiv)) ~ ;r!'i -V'-iWi+'-yN mod n 

- authentic^^^-^{z ,y , accu) := ok iff accuy = 2 (modn) 

Here, RSA-Mod{k) is the set of R.SA moduli of length k [RSA78]. The difference 
to the original accumulator is the restriction of the input domain to prime num- 
bers. In addition, to prove collision-freeness, we have to make a stronger RSA 
assumption. 

Assumption (strong RSA assumption). For all probabilistic polynomial- 
time algorithms A, all c > 0, and all sufficiently large k, 

= x(modn) A e prime A e < n 
n Er RSA-Mod(k)\x £r Z„;(iy,e) <— A{n,x)) < k^'^. 

Thus the adversary A is given n and x as in a usual RSA assumption, but he 
may choose the exponent e for which he extracts the root. We are neither aware 
of any corroboration that it should be hard, nor can we break it. Four obvious 
attacks do not work, i.e., they are equivalent to breaking some other problem 
believed to be hard: 




485 



— If the adversary chooses a random e first, he has to break RSA. 

- If he chooses a random y first, he has to compute a discrete logarithm, 

— If he tries to find d and e with y = x‘^ and {x^) = x, then ord(a;) divides 
/ ;= de — 1, where ord(x) is the smallest i > 0 with ;c* = 1 (mod n). He can 
then also break RSA for the same n and x: Let a random public exponent e' 
be given. It is sufficient to consider the case where e' is prime and no factor 
of /. Then we set d' ;= e'~^ mod / and obtain [x'^ )'" = x (mod n) because 
ord(u;) divides d'e' - 1. 

- The attacker could try to choose special values e for which RSA would be 
easier to break. However, no such exponents seem to be known. There are 
attacks for short secret exponents [WienQO], but our e corresponds to the 
public exponent, and we see no way for the attacker to influence the cor- 
responding secret exponent. A well-known attack on short public exponents 
[Hast86] only applies to situations where the attacker sees several messages 
encrypted with that exponent using different moduli. Similarly, the new class 
of attacks on short public exponents in [CFPR96] only applies to situations 
where the attacker sees the ciphertexts of several messages with a known 
polynomial relationship, encrypted using the same modulus. 

Theorems. Under the strong RSA assumption, is collision-free. 

Proof sketch. An adversary who finds a collision in for given n, x, i.e., who 
finds yi, ■ ■ ■ ,vn^ y' ■. and accu' with 

accu’^ = (mod n), 

can break the strong RSA assumption as follows: Let e := y' and r yi ■ • ■ yN- 
Now the e-th root y of x can be constructed as in [Sham83, BeMa94]: Compute 
a, 6 G 2 with ar-\-by' = 1 with the extended Euclidean algorithm (this is possible 
because y' is prime) and let y := accu"^x'’. Thus 

= ttccu'“^ x^^ = j.i'a+by ^ 



□ 



RSA Accumulator With Random Oracle. The second example uses, as 
the name of the first suggests, a random oracle f? [BeRo93] . Whenever asked to 
compute n{y) for a new value y, the oracle generates a random number r as its 
answer, and it stores all previous pairs (y,r) so that it answers with the same r 
if asked the same y again. 

In practice, one replaces the random oracle by an efficient hash function. Of 
course, this replacement is only a heuristic. 

By using a random oracle, we can construct an accumulator that is collision- 
free under the normal RSA assumption. The elementary accumulator uses the 
function 



{x, (y, dist)) := „,od n. 




486 



We do not use fi{y ) directly, because in the proof we will need that the exponents 
are prime numbers. So we append I bits such that 2*i?(?/) + dist is prime. Of 
course, this might not be possible for all values of y, so we accept only those y’s 
as input for which a suitable dist exists. 

Definition 6. Let a family M of sets Mk be given where membership is decid- 
able in polynomial time. It contains the values that we really want to accumulate 
for each security parameter k. The following family is called RSA accumulator 
with random oracle (for M): 

— accu-keys^^^^ {kj N) := {{n, | n€ RSA^Mod{k + l) 

A O e {/ I /: M Z„div 2 '} A I = [loga 2k] A x £ Z„} 

“ \ y & Aik A dist € Z 2 ‘ A 2‘f2{y) -t- dist prime}, i.e., 

the values that we actually accumulate are pairs of a value that we want to 
accumulate and a suffix that turns its hash value into a prime number. 

2-(2‘r3(yi ) + dtsi 1 ) ■(2*r?(s/(v) + d»sf/v ) 

dist j), (x, (r/i , dist \ ),..., (^yv , dist jy]] ^ . 

^{2‘ n{yi) + disti)--{2‘ n{yi-i) + disti-i){2‘n{yi + , )+disti^i)--{2‘ n{yn) + distN) mod U 

— authentic^^^^^i ,.^[z,{y,dist),accu) := ok iff accu ^' = ^(modT?,) 

Theorem 7. This accumulator is collision-free under the normal RSA assump- 
tion. 

Proof sketch. We have to show that for all N, all probabilistic polynomial-time 
algorithms A, all c > 0, and all sufficiently large k, 

P = j.('A S7(yi) + dtsti)..(2‘ nCyN ) + 

A{y',dist') i {{yi,distx),...,{yN,distN)) 

A{y’ ,dist'),{yi,disti),. . . ,(yki,distN) € {{y,dist) j y £ Mk 
A dist £ {0, . . . , 2^ — 1 } A 2^ Q{y) + dist prime} 

A accu' £ Tin :: 

I riog .2 2k]-,n £h RSA^Mod{k + /); 

£r {/ I /: Mk 2,j; 

[accu' , (y', dist'), [yi , disti), . . . , [pn, distil)) «— T^(fc, N, n, I, x)^ 

1 

< — , 

~ k<'- 

where A^^ means A with access to the oracle fL Assume that an algorithm A 
contradicts this inequality for some N. We can then construct an algorithm A^ 
that calls A^ and, whenever that is successful, sets 

r' := 2^f2[y') -f dist' and 

r, := 2‘f}{yi) -P disti for i = 1, . . . , TV, 




487 



and computes the r'-th root of x using the extended Euclidean algorithm for 
these values as in the proof of the previous theorem. The only exception is if 
r' equals one of the r^’s. Then an oracle collision has been found, which can 
only happen with very small probability. Hence it is sufficient to prove for all 
probabilistic polynomial-time algorithms j4i, all c > 0, and all sufficiently large 
k, 

P(y^ — X A r' prime A r' < n A dist' <2‘ :: 

I := [log 2 2k];n €ft RSA-Mod{k -f /); 

{/ I f - —> cliv 2’ } ; 3 ; €r 7Ln \ 

{y,y\ dist') <— A?{k^ N, n,l-,x)\r' 2^ Q{y') + dist'\ < — . 

Without loss of generality, we can assume that Ai has asked the oracle for 
J7(r/'). The number of values that Ai risks for is bounded by a polynomial Q{k). 
Whatever strategy Ai uses in choosing its oracle queries, it amounts to the same 
thing as if it were given a list of Q(k) random numbers p and had to select 
r' among the numbers 2‘p -f dist. Thus this new adversary A 2 is given a list of 
Q{k) ■ 2^ exponents and has to extract a root for at least one of them. If this were 
possible with non-negligible probability, it would also be possible to extract an 
e-th root for one given random e. For this, a new adversary A^, given e, inserts 
(e div 2 ') at a random place into a list of Q{k) — 1 random numbers and appends 
the values dist. A^ calls A-i, and with a probability smaller by the factor Q{k)-2^ 
it gets the e-th root of x (recall that 2* « k). □ 

The proof also shows another result that is interesting in practice, where the 
function used instead of the oracle is not perfect; To find an accumulator collision, 
one at least either has to either find a collision of this function (where collision- 
freeness is a much weaker requirement than “being like an oracle”) or to break 
the strong RSA assumption. 

3 Conversion Algorithm 

We want to use collision-free accumulators as defined in the previous section to 
accumulate the public one-time keys in an FSS scheme. But what if the public 
one-time keys are not suitable as input for the accumulator? For example, the 
RSA accumulator without random oracle as defined in Section 2.3 needs prime 
numbers as input, and none of the known FSS schemes uses prime numbers as 
public one-time keys. Hence one has to convert the public one-time keys to prime 
numbers that can then be accumulated by the accumulator. 

Of course, such a conversion could be done within the underlying one-time 
FSS scheme or within the accumulator. But then one has to prove their security 
again. Thus it seems better to use a simple conversion algorithm that has no ef- 
fect on the security as an interface between the FSS scheme and the accumulator. 
In this way, we get a general modular construction for which one can use any 




488 



collision-free accumulator and any one-time FSS scheme provided that one finds 
a conversion algorithm for them. As examples, we present two instantiations in 
Section 5. For this purpose, we use a family A of conversion algorithms, which 
has the following components: 

— A function calc-pars that computes the security parameters k' for the ac- 
cumulator and {k*,a*) for the underlying FSS scheme if given as input 

TV), the security parameters of the desired accumulator FSS scheme 
and the number of messages to be signed. The output must fulfill 

k'^k” > k and a* > a. 

— A polynomial-time algorithm A-gen which, on input k* , a* and an accumu- 
lator key n, computes a key par specifying an individual member of A. 

— A probabilistic polynomial-time algorithm A.eval which, on input a conver- 
sion key par and a public one-time key pk^, outputs either a value pk^ £ 

(a suitable input for the accumulator with the key n) or “unsuitable”. The 
success probability should at least be the inverse of some polynomial; in the 
examples, it will be at least constant. 

We write Aparipki] instead of A..eual(par,pk^). 

— A polynomial- time inversion algorithm, abbreviated A~^^, with 
Ap^^{Apar{pkij) = pk^ for all Apar(pk^) / “unsuitable”. 

Note that the conversion of a one-time key is not necessarily deterministic, but 
the inversion has to be. So it is possible to include some random bits in the 
output of Apur that are needed for an accumulator, but the result of 
always unique. 

We now show the core of a simple example Aprim, which we will use in 
Section 5. It converts input numbers into prime numbers, if possible, using the 
same idea as in Section 2.3; The parameter par is a small integer 1. On input 
a; € IN, the algorithm Aprim,; checks for dist = 1, 3, . . . , 2^ — 1 whether the number 
2^x -t- dist is prime. If so, it returns 2^x -1- dist, otherwise “unsuitable”. To get 
X back from the output x, the inversion algorithm simply cuts off the I least 
significant bits. 

Another example of a conversion algorithm is of course the identity function, 
which can be used whenever no conversion is necessary. 

4 Accumulator FSS Scheme 

In this section, we describe the accumulator FSS scheme. It is based on 

— a one-time FSS scheme with prekey and parameters {k*,a*), 

— a family of collision-free accumulators with parameters (fc', TV), and 

— a family of conversion algorithms for the one-time FSS scheme and the ac- 
cumulator. 




489 



4.1 One-time FSS Scheme with Prekey 

We use so-called one-time FSS schemes with prekey, e.g., [PePf97]. This prekey 
is generated by a center trusted by all recipients and verified by the signer, who 
need not trust the center. The center is used instead of the recipients themselves 
for simplicity. Based on this prekey, the signer can generate as many one-time 
key pairs as she wants. Among the two security parameters, a* is chosen by the 
signer for her information-theoretical security, whereas k” is chosen by the center 
for the computational security of the recipients. 

For simplicity, we only consider schemes that fulfil the simplified security 
criteria for schemes with prekey from [Pfit96, Theorem 7.34]. First, this means 
that proofs of forgery only depend on the prekey. This is natural because only 
the prekey is not chosen by the signer, i.e., a proof of forgery has to show a secret 
hidden in the prekey. Secondly, it is required that for every good prekey (one 
that the signer accepts with significant probability), for every one-time key pair 
based on it and every forgery, the probability that the forgery cannot be proved 
is at most 2“'^* . 

4.2 Construction 

Key generation. The accumulator FSS scheme gets only {k,a^N) as input. 
The remaining security parameters are calculated with 

{k',k*,a*) cale-pa.rs(k,a, N). 



The center generates 

- a prekey, using the algorithm gen{k*,(7*) of the one-time FSS scheme. 

- an accumulator key n with n «— accu-gen{k' , N). 

- the parameter for the conversion algorithm as par := A-gen{k* ,<t* ,n). 

The signer verifies the prekey. She need not verify the accumulator key because 
it has no effect on her security. A weak accumulator key may make it easier for 
an adversary to find an accumulator collision and forge a signature. But this is 
no problem for the signer because she can show the collision as a proof of forgery. 
All these global values are part of the signer’s public key, but for readability we 
omit them in the following. 

The signer now chooses N key pairs (sk^jpki) of the underlying one-time FSS 
scheme, based on the given prekey. 

She computes pk^ := Ayar{pk^) for i = 1, . . . , fV. If there is any pk^ ^ Ym i.e., 
pk^ = “unsuitable'’, she has to generate a new key pair [ski,pkj) and to repeat 
the computation of pk^. 

Finally, the signer computes the main public key pk of the accumulator FSS 
scheme by accumulating the pk^’s: 

{pk, aux) *- an{pk^,. . .,pkf^). 




490 



She publishes pk and stores aux for later use. Formally, her secret key sk contains 
not only the secret one-time keys sk\ , sfcjvr, but also the converted public one- 
time keys pki, . . .,pk;^ and the auxiliary output aux. 

Signing. The signature on the i-th message, mi, is 

s := {si,pk^, accui), 

where ,Si is the one-time signature on this message with the one-time key ski, 
and pfcj and accui are needed for the authentication of the one-time public key 
pk^. The value accui is computed using 

accUi *— authnipki, aux). 

Since accUi is independent of the message, it can be precomputed when the 
computer is idle. 

Testing. A value s = {si, pk^, accUi) is an acceptable signature on the message 
m, iff 

1. Si is an acceptable one-time signature on m* with respect to pki = 

2. Mi e y„, 

3. accui € AccUn, and 

4. pk authenticates pk^, i.e., authentir.„{pk,pki, accui) = ok. 

Proving Forgeries. If {s' ,pk' , accu') is an acceptable signature on a message 
m' not previously signed by the signer, she can generate a proof of forgery as 
follows: 

1. li pk' = Ap^riP^') € {Mu • • • iMn}) she tries to generate a proof of forgery 
in the one-time FSS scheme. 

2. Otherwise, she shows the accumulator collision 

proof ;= ((Mu ■ ■ ^ (M^ accu')) . 

This proof shows that the assumption on which the accumulator is based 
has been broken. 

Verifying Proofs of Forgery. 

1. If proof is said to be a proof of forgery in the one-time FSS scheme, one 
verifies that. 

2. Otherwise proof is accepted iff it fulfills the following conditions: 

(a) pk' i {pk^,.. 

(b) Mu • • • ,MauM' € y„, 

(c) accu' £ AccUn and 

(d) authentiCn{pk, pk' , accu') = ok with {pk, aux) <— a„(Mu ■ ■ • jP^n)- 




491 



4.3 Security 

Theorems. The accumulator FSS scheme as defined in the previous section is 
secure for both the signer and the recipients as defined in [PfWaOO, PePf97]. 

Proof sketch. For the information-theoretic security of the signer, we first show 
that any forgery that is not a forgery in the one-time FSS scheme, i.e., that 
does not fulfil the condition of Item 1 in “Proving Forgeries”, is provable with 
probability 1: If pk' ^ {pki, . . . ,pkp^}, then pk' ^ {pk^, . . . ,pkj^} because the 
inversion is deterministic. Thus the value the signer computes in Item 2 is 
indeed an accumulator collision. 

If the forgery is in the underlying one-time scheme, the signer can prove it 
with an error probability less than 2'"” , and thus less than 2^*^ (given that the 
prekey is good), because 

- with probability 1, she finds the one-time key pair (ski,pkfi) whose public 
one-time key the forger has used, 

- for every generated one-time key pair, the probability is at most 2””^ that 
no proof of forgery can be found in the underlying FSS scheme, independent 
of the number of “unsuitable” public one-time keys generated before, and 

- the forger gains no information about .ski by the accumulation. 

The recipients want to be secure that no signatures they have accepted become 
invalid. Thus it should not be possible that 

- an adversary computes an acceptable signature that will be (correctly) proven 
to be forged by the signer, and that 

- the signer can (incorrectly) deny a previously generated signature using a 
proof of forgery. 

Hence it is sufficient to show that no proof of forgery can be computed. This 
is (computationally) true because a proof of forgery of the new scheme implies 
either a successful proof of forgery in the underlying one-time FSS scheme or a 
collision of the utilized accumulator. Since for both parts the security parameter 
is at least k (guaranteed by the function calc -pars), neither should be possible 
for a polynomially restricted forger. That some key pairs are thrown away during 
key generation does not help the adversary, because the proof is based on the 
prekey alone. □ 



5 Examples 

We construct two examples of accumulator FSS schemes, using the two accu- 
mulators from Section 2.3. As the underlying one-time FSS scheme, we choose 
the one described in [HePe93]. It is based on the Discrete Logarithm assump- 
tion. Its public keys are pairs (a, h) of elements of the group where computing 
discrete logarithms is assumed to be hard; let their length in bits be the security 




492 



parameter k* . The algorithms of the accumulator FSS schemes are clear from 
the previous section as soon as we fix the conversion algorithms. 

The first examples uses the accumulator It needs prime numbers as 

inputs, so we convert the one-time public keys (a, f») with Tprim, interpreting 
(a, b) as one 2fc*-bit number. 

The security parameters for the one-time FSS scheme and the accumulator 
are calculated by 

(A;', k* ,<j*) — calc-pars{k, a, N) := (2k + [log 2 2A;] + 1, k, a), 
and the key of the conversion algorithm by 

I = A^gen(k* ,(T* , n) ;= flog 2 2fc*]. 

These functions guarantee that the converted public one-time keys are in the 
domain of the accumulator: The parameters for the one-time FSS scheme are 
simply the given k and a. The parameter k' for the accumulator is set such that 
the RSA modulus is longer than a one-time FSS key and the appended value 
dist. The length I of dist is a somewhat arbitrary value ensuring that a prime 
will typically be found in the search interval. 

The second example is based on the RSA accumulator with a random oracle 
assumption. This accumulator needs pairs (pki, disti) as input, so the conversion 
algorithm is similar to Aprim.o but returns (pki, disti) instead of 2^^(pk^) + disti 
if that value is prime. The security parameters are computed with 

(k',k*,a*) = calc.pars(k,a, N) := (k,k,a) 
and the key of the conversion algorithm is 

A.gen{k*,a\(n,Q,l,x)) ■- (l,n). 

Concretely, this means that the length of the RSA modulus used for the accu- 
mulator is independent of the length of the one-time keys, because only oracle 
outputs with appended values dist are accumulated, and the length of the oracle 
output is adapted accordingly. 

6 Conclusion 

We have presented a generalized definition of accumulators and the definition of a 
collision-free subtype. We constructed two collision-free accumulators, one based 
on a stronger RSA assumption than usual, the other based on a random oracle 
and the normal RSA assumption. We remind the reader that no new assumption 
in cryptology should be trusted, i.e., we certainly do not recommend the first 
version for use in practice for quite some time. These accumulators can be used 
to construct fail-stop signature schemes in which the length of the public key 
and of the signatures is independent of the number N of messages that can be 
signed, while the additional cost for signing is small, especially because most of 
the signature can be computed and sent before the message is known. 




493 



Key generation, however, takes significantly longer than in constructions with 
trees. To avoid the precomputation of a very long secret key, one can combine 
the constructions with top-down tree authentication. In this way, we get flat 
trees similar to those in [DwNa94], For instance, one might use accumulation 
for 1024 pairs {sk^,pki) each, form a tree with two levels of such structures, and 
generate the structures of the lower level on demand, signing their “public” keys 
with the secret keys of the upper level. Thus one can sign one million messages 
with one public key. A complete signature consists of the accumulation result z 
of one lower-level structure and two accumulator FSS signatures as described in 
Section 4. 



Acknowledgments 



We thank Michael Waidner, Joachim Biskup, Andreas Pfitzmann, and Ute von 
Jan for helpful comments on this paper. 



References 



[Bari96] 

[BeMa94] 

[BeRo93] 

[CFPR96] 

[CrDa96] 

[DwNa94] 

[HastSG] 

[HePe93] 



Niko Baric; Digitate Signaturen mit Fail-stop Sicherheit ohne Baumau- 
thentifizierung. Diplomarbeit, Institut fiir Informatik, Universitat Hildes- 
heim, July 1996. 

Josh Benaloh and Michael de Mare: One-Way Accumulators: A De- 
centralized Alternative to Digital Signatures. In Advances in Cryptology 
— EUROCRYPT ’93, LNCS 765, pages 274 -285. Springer- Verlag, Berlin, 
1994. 

Mihir Bellare and Phillip Rogaway: Random Oracles are Practical: 
A Paradigm for Designing Efficient Protocols. In 1st ACM Conference on 
Computer and Communications Security, November 1993, pages 62 73. acm 
press, New York, 1993. 

Don Coppersmith, Matthew Franklin, Jacques Patarin, and Mi- 
chael R.EITER: Low-Exponent RSA with Related Messages. In Advances 
in Cryptology — CRYPTO ’96, LNCS 1070, pages 1-9. Springer- Verlag, 
Berlin, 1996. 

Ronald Cramer and Ivan B. Damgard: New Generation of Secure and 
Practical RSA-Based Signatures. In Advances in Cryptology — CRYPTO 
’96, LNCS 1109. Springer- Verlag, Berlin, 1996. 

Cynthia Dwork and Moni Naor: An Efficient Existentially Unforge- 
able Signature Scheme and its Application. In Advances in Cryptology - 
CRYPTO ’94, LNCS 839, pages 234-246. Springer- Verlag, Berlin, 1994. 
Johan Hastad: On Using RSA with Low Exponent in a Public Network. 
In Advances in Cryptology — CRYPTO ’85, LNCS 218, pages 403—408. 
Springer- Verlag, Berlin, 1986. 

Eugene van Heyst and Torben P. Pedersen: How to Make Efficient 
Fail-stop Signatures. In Advances in Cryptology — EUROCRYPT ’92, 
LNCS 658, pages 366 377. Springer- Verlag, Berlin, 1993. 




494 



[HePP93] Eugene van Heijst, Torben P. Pedersen, and Birgit Pfitzmann: New 
Constructions of Fail-Stop Signatures and Lower Bounds. In Advances in 
Cryptology — CRYPTO ’92, LNCS 740, pages 15-30. Springer- Verlag, Ber- 
lin, 1993. 

[Nybe96a] Kaisa NyderG; Commutativity in Cryptography. In Proceedings of the First 
International Workshop on Functional Analysis at Trier University, pages 
331-342. Walter de Gruyter, Berlin, 1996. 

[Nybe96b] Kaisa NyrerG: Fast Accumulated Hashing. In 3rd Fast Software Encryp- 
tion Workshop, LNCS 1039, pages 83-87. Springer- Verlag, Berlin, 1996. 

[PePf97] Torben P. Pedersen and Birgit Pfitzmann: Fail-Stop Signatures, to 
appear in SIAM Journal on Computing, 26(2):291-330, April 1997. 

[Pfit94] Birgit Pfitzmann: Fail-Stop Signatures Without Trees. Hildesheimer 
Informatik-Berichte 16/94, ISSN 0941-3014, Institut fiir Informatik, Uni- 
versitat Hildesheim, June 1994. 

[Pfit96] Birgit Pfitzmann: Digital Signature Schemes — General Framework and 
Fail-Stop Signatures. LNCS 1100. Springer-Verlag, Berlin, 1996. 

[PfWa90] Birgit Pfitzmann and Michael Waidner: Formal Aspects of Fail-stop 
Signatures. Interner Bericht 22/90, Fakultat fur Informatik, Universitat 
Karlsruhe, December 1990. 

[RSA78] Ronald L. Rivest, Adi Shamir, and Leonard Adleman: A Method for 
Obtaining Digital Signatures and Public-Key Cryptosystems. Communica- 
tions of the ACM, 21(2):120-126, February 1978. 

[Sham83] Adi Shamir: On the Generation of Cryptographically Strong Pseudorandom 
Sequences. ACM Transaction on Computer Systems, l(l):38-44, February 
1983. 

[WaPf90] Michael Waidner and Birgit Pfitzmann: The Dining Cryptographers 
in the Disco: Unconditional Sender and Recipient Untraceability with Com- 
putationally Secure Serviceability. In Advances in Cryptology — EURO- 
CRYPT ’89, LNCS 434, page 690. Springer-Verlag, Berlin, 1990. 

[Wien90] Michael ,T. Wiener: Cryptanalysis of Short RSA Secret Exponents. IEEE 
Transactions on Information Theory, 36(3):553-558, May 1990. 




Selective Forgery of RSA Signatures Using Redundancy 



Marc Girault Jean-Fran^ois Misarsky 

marc.girault@franceteIecom.fr jean-francois.misarsky@francetelecom.fr 



CNETCAEN 
42, rue des Coutures 
B.P. 6243 

FR- 14066 CAENCedex 



Abstract: We show the weakness of several RSA signature schemes using 
redundancy (i.e. completing the message to be signed with some additional 
bits which are fixed or message-dependent), by exhibiting chosen-message 
attacks based on the multiplicative property of RSA signamre function. Our 
attacks, which largely extend those of DeJonge and Chaum [DJC], make 
extensive use of an affine variant of Euclid's algorithm, due to Okamoto and 
Shiraishi [OS]. When the redundancy consists of appending any fixed bits to 
the message m to be signed (more generally when r^undancy takes the form 
of an affine function of m), then our attack is valid if the redundancy is less 
than half the length of the public modulus. When the redundancy consists in 
appending to m the remainder of m modulo some fixed value (or, more 
generally, any function of this remainder), our attack is valid if the 
redundancy is less than half the length of the public modulus minus the length 
of the remainder. We successfully apply our attack to a scheme proposed for 
discussion inside ISO. 



1 Introduction 

Let (P, S) be a RSA [RSA] key pair, where P is the public function and S the secret 
one. It is well known that the "reciprocal property" (the fact that PoS = SoP=:Id, 
the identity function) and the "multiplicative property" (the fact that 
S(xy) = S{x)S(y)) of RSA lead to potential weaknesses, especially when used for 
signatures. 

The reciprocal property trivially allows to perform an existential forgery: just choose 
Z at random and compute m = P(Z) ; then the pair (m, Z) is an apparently authentic 
signed message. The multiplicative property allows a selective forgery by performing 
a 2-chosen-message attack, i.e. a chosen-message attack requiring two messages. Let 
m be the message to be signed, choose x as you like in [l,n-l] and compute 



W. Fumy (Ed.): Advances in Cryptology - EUROCRYPT ’97, LNCS 1233, pp. 495-507, 1997. 
© Springer- Verlag Berlin Heidelberg 1997 




496 



y = mfx modn where n is the public modulus; obtain the signatures of x and y and 
compute the signature of m as the product S{m) = S(,x)S{y) modn . 

Different ways exist to eliminate these potential weaknesses. We can either add some 
redundancy to the message to be signed [ISOl], or use a hash-function in the signature 
scheme [IS02], [BR], TTie present paper is related to the redundancy solution. This 
solution is of particular interest when the message is short, because it prevents from 
specifying and implementing a hash-function (a rather delicate cryptographic 
challenge), and it allows to construct very compact signed messages, since messages 
can be recovered from the signatures themselves (and hence need not any longer be 
transmitted or stored). More precisely, let R be the (invertible) redundancy function. 
The signature of m is 2i(m) = 5[/?(m)], and the signer only sends X(m) to the receiver. 
The latter applies P to X(m), and verifies that the result complies with the redundancy 
rule, i.e. is an element of the image set of R. Then he recovers m by discarding the 
redundancy (i.e. by applying R') to this result. 

But it has been shown in the past [DJC] that too simple redundancy does not avoid all 
the chosen-message attacks. For instance, the redundancy defined by appending 
trailing 'O' bits to the message is insufficient because it remains possible, for any m, to 
construct two integers x and y such that (mllO..O) = (xllO..O)(yllO..O) mod n (implying 
5(/nllO..O) = 5(xllO..O)S(yllO..O) mod n) by using Euclid's algorithm. In the standard 
ISO/IEC 9796 Part 1 [ISOl], a redundancy function is described, the security of 
which is assessed as very good. But its expansion rate (at least two) is too high in 
many applications, e.g. public key certification. As a consequence, there remains a 
need for a simple/short redundancy function providing adequate security. 

The main goal of this paper is to show that a number of attractive redundancy 
functions, some of which proposed here and there, are subject to a 2-chosen-message 
attack. It is organized as follows: in section 2, we summarize our results, in section 3, 
we describe the mathematical tools used by our attacks, in section 4, attacks on valid 
messages with fixed redundancy, in section 5. attacks on valid messages with fixed 
and modular redundancy, in section 6, some applications including an attack on a 
scheme proposed for discussion inside ISO. We explain how to defeat this forgery in 
section 7 and we conclude in section 8. 

Throughout this paper, we call valid message any message m completed with 
redundancy (i.e. any integer in the form R{m)), and bitlength (or length in short) of an 
integer the number of bits of its binary representation. We denote by Iml the bitlength 
of m. We also define mb as the maximum bitlength of message accepted in a signature 
scheme. 

2 Our Results 

First, we extend the results of De Jonge and Chaum [DJC]: if the redundancy consists 
in appending any fixed bits to m to be signed, or more generally if redundancy takes 
the form of an affine function of m, that is when the signature L(m) of m is computed 
as Z(m) = 5(o)m + a), for any constant a, any constant co and message m, then the 
signature scheme is subject to a chosen-message attack, provided the redundancy is 
less than half the length of the public modulus used by 5 and P. De Jonge and Chaum 




497 



exhibited similar attacks only in the cases when a = 0 (with the same amount of 
redundancy) or when (0=1 (with a smaller amount of redundancy). 

Next, we study the case of the redundancy obtained in appending to m the remainder 
of m modulo some fixed value. Then, the signature scheme is still subject to a 2- 
chosen-message attack, provided the redundancy is less than half the length of the 
public modulus minus the length of the remainder. In a particular case, it even works 
when the redundancy is up to half the length of the modulus. 

Here, the term "chosen-message attack" means the following: for any arbitrary 
message m it is possible to construct two messages ffi, and such that 
£(/nj) / 2(/n,) = £(m) modulo the RSA-modulus used by S. Therefore, by obtaining the 
signatures of m, and m^, an enemy can forge the signature of m. It must be stressed that 
m can be entirely selected by the enemy; so this forgery is selective, not only 
existential. 

All the attacks make extensive use of an affine variant of Euclid's algorithm, due to 
Okamoto and Shiraishi [OS], which is described in the coming section. 

3 Basic Tools 

In all our attacks, we will face the following problem: 

Let n be a positive integer and d, z^, X, Y, with X and "small", four positive integers 
less than n. Find solutions x and y to: 



(5) 



dx = y + Zc (modn) 

w< ^ 

> 1 < 



3.1 Case of z, = 0 

W. De Jonge and D. Chaum solved this problem [DJC]. There is at least one solution 
not equal to (0, 0) if XT > n. Demonstration of this result uses the "pigeon-hole 
principle". It is useful to remark [GTV] that finding small x and y satisfying (S) comes 
to finding a good approximation of the fraction din. So, we find such a solution by 
developing it in continued fractions i.e. applying extended Euclidean algorithm to d 
and n. 

Algorithm EE 

• Input: n, d, X, Y (with XY > n) 

• Output: nothing or some x such that |x| < X and |iix (mod n)| < Y 

• Method: apply extended Euclidean algorithm to d and n; one obtains coefficients 

and m, such that: 



/,« + m^d = r. 



( 1 ) 




498 



where the r. are the successive remainders; output the smallest (in absolute 
value) m, such that njY (the case "such an m- does not exist" is 
very rare), 

• Proof, the fractions = - Ijtn. are in fact the convergents of the development 

of djn in continued fractions; hence: 

+ +n/J < 

=i> |iiffi,(modn)| < Y 
Moreover, ( |»i,| < njY and XY >n) implies |m,.| < X 

3.2 Case of z, 0 

Okamoto and Shiraishi provide in [OS] an extension of extended Euclidean algorithm 
which very often solves this problem. We use a version of this algorithm to generate 
solutions. 

Algorithm OS 

• Input: n, d, X, Y (with XY>n),z^ 

• Output: nothing or some x such that |a-| < X and \dx- (mod n)| < Y 

• Method: apply extended Euclidean algorithm to d and n; introduce a sequence y, 

whose first term y„ is z, and following ones are defined by: 

y, = yi-,-^'r. ( 2 ) 

where q' is the quotient in the division of y,., by ; introduce also the 
sequence k. whose first term is zero and the following ones are defined 
by: 

= ^,-1 + ( 2 ) 

Output k, such that n/Y < |^,j < X and \k^\y^ < n 

• Proof let the sequence /i, whose first term is zero and following ones defined 

by: 

+9,3, (4) 

Then, 

h^n + k^d = (/i,.j + 9 ,'/, )n + (^,_, + 9 ,'m, )d 
= h._^n + + 9'(/,« + m,d) 

( 1 ) and ( 2 ) imply: 

/i,« + k^d = h,_,n + kg_^d + (y,_, - y, ) 

Then, 

h,n + k,d = 0 + (y„-y,) + (y, -yJ+...+(y,., -y,) 

= >’o - y, => k,d (mod n) = Zo-y\ 

By taking output's conditions on Jt, into account, we have: 

|^,| < X and y, < n/|^, j < T 




499 



Remark: to increase the number of solutions when 0, you can combine one 
solution (x, y) found by algorithm OS with a solution (x\ y') given by algorithm EE for 
the same system with = 0. 

4 Valid Messages with Fixed Redundancy 

Recall that redundancy function takes the form of an affine function of message. The 
signature 2(m) of m is computed as Z(m) = 5(own + a) for any constant a, any constant 
CO and message m. DeJonge and Chaum already studied multiplicative attacks on 
schemes using fixed redundancy. But their results were restricted to a = 0 (and any 
value of to) or CO = 1 (and any value of a). Moreover, their attack is valid if the 
redundancy takes up less than half of the bits in the modulus n when a = 0, and 
otherwise if the redundancy takes up less than one third of the bits in the modulus n. 
Our method extend this results: the signature scheme is subject to a chosen-message 
attack for any value of a and co, provided that the redundancy takes up less than half of 
the bits in a valid message. 

In this section, we describe our attack on right-padded redundancy scheme, left- 
padded redundancy scheme, then on a more general scheme. Proof and efficiency are 
only given in the general case. 

4.1 Right-Padded Redundancy Scheme 

Let a be a fixed pattern of bits, and cu = 2“. 

We denote by % the set of messages; 

% = { integers m such that 0 5 m < n/co} 
and by % ' the set of valid messages: 

= { com + a such that me %] 

Example: an element of % ' has this form: 



Message m 



..1010010100001110101 1 



Attack: 

• Choose a message m e of which you want to forge a signature. 

• Set 



• Solve 



2o = 



a 

(0 



[l-(£afn-^a)](modn) 



(5) 



(cam-i-a)x = y-t-Zo(modn) (6) 

with x and y elements of ‘g by using algorithm OS. You obtain, very often, a 
solution if the range of m is larger than -Jn (i.e. the number of bits of redundancy a 
is less than half of the bits of modulus n). See 4.3 for more details. 

• By replacing by its expression (5) in the latter equation (6), you can easily prove 
that (com + a)(cox -t- a) = (coy + a) (mod n). If you gel signatures of y and x (i.e. if you 
get S(coy + a) and S(cox -t- a)), then you deduce the signature of m by dividing 
S(coy -I- a) by S(tox -i- a) modulo n. 





500 



4.2 Left-Padded Redundancy Scheme 

Let a' be a fixed pattern of bits, and ji = 2“*’. We denote by the set of messages: 

= { integers m such that 0 < m < )3} 
and by ' the set of valid messages: 

'?'= {m + fl'jS such that m e 
Example: an element of % ' has this form : 



01001001010101111... 



Message 



m 



Attack: 

• Choose a message m e of which you want to forge a signature. 



• Set 








z„ = a')9[l-(TO+a')3)](modn) 


(7) 


• Solve 








(m + ap)x = y -t- Zg(mod n) 


(8) 



with X and y elements of by using algorithm OS. You obtain, very often, a 
solution if the range of m is larger than -Jn (i.e. the number of bits of redundancy a 
is less than half of the bits of modulus n). See 4.3 for more details. 

• By replacing 7 ^ by its expression (7) in the latter equation (8), you can easily prove 
that (m + a'p){x + a'p) = (y + a'p) (mod n). If you get signatures of y and x (i.e. if 
you get S(y + a'p) and S(x + a'p)), then you deduce the signature of m by dividing 
S(y + a'p) by 5(x + a'P modulo «. 

4.3 Generalization 

Let a be the lower bound to a valid message, b be the upper bound to a valid message 
(a 5 m < «), oa a multiplicative constant. Consequently, we can define as the set 

of messages: 

= (integers m such that 0 < m < {b - a) /a] 
and % ' as the set of valid messages; 

'?'= {(om + a such that /7i 6 '?) 



Attack: 

• Choose a message /n e of which you want to forge a signature. 

• Set 



Zo = 



— [1 - (am + a)](mod ti) 



(9) 



• Solve 



(com + a)x = y + Zo(modn) (10) 

with X and y elements of 'S by using algorithm OS. You obtain, very often, a 
solution if the range of m is larger than -Jn (i.e. the number of bits of redundancy, 
multiplicative and additive, is less than half of the bits of modulus n). 





501 



• By replacing by its expression (9) in the latter equation (10), you can easily prove 
that (com + a)(oix + a) = (toy + a) (mod n). If you get signatures of y and x (i.e. if you 
get S(coy + a) and 5(cox + a)), then you deduce the signature of m by dividing 
5(ooy + a) by 5(ow: + a) modulo n. 



Proof. 



let X and y be a couple of solutions: 
(com + a)x = 



y + Zo 



{com + a)o}x 

{com + a)cwc 
(am + a)(o}x + a) 



tuy + tu 



— [l-(o)m + a)] j 



CO 



coy+a — a(com + a) 
(coy + a) 



(mod n) 
(mod n) 

(mod n) 
(mod n) 



Efficiency: algorithm OS gives a solution if XY > n (see 3.2.), i.e. if: 

(b-a) {b-a) 



> n 



CO 



CO 



Thus, a solution is obtained when the range of m, i.e. — — ^,is larger 



CO 



than ■Jn or when: 



log; 



b-a 



CO 



l0gj(«)-l0g; 



b-a 



CO 



> l0g,(Vrt) 

< •^logzC”) 



i.e. the number of bits of redundancy, multiplicative and additive 
redundancy, is less than half of the bits of modulus n. 



Remarks : 

• If to is a power of two upper than 2'"' then it is the right-padded redundancy scheme 
(see 3.1). 

• If CO = 1 and a is a multiple of 2"''’ then it is the left-padded redundancy scheme (see 
3.2). 

• Note that with an appropriate choice of to and a. it is a scheme with the message in 
the middle : 



I 1101010101~ 



... 000101011 ^ 



Message 



e m 



5 Valid Messages With Fixed And Modular Redundancy 

The expression "modular redundancy" is used to indicate a redundancy obtained with 
a modular operation. We denote this modular redundancy by the function B{x). In this 
section, we consider a modular redundancy of « bits in length. 

We consider three cases: first of all, the particular case H(m) = m (mod 2“ + 1), a 
modular redundancy of u bits (except if H{m) = 2“, an event of probability nearly 
equal to 0). Next H(m) = m (mod 2“ + v) where v is a negative integer greater than or 








502 



equal to -2“ ', and last //(m) = (m (mod 2" + v)) © Mask where v is a negative integer 
greater than or equal to -2“ ‘ and Mask is a «-bit fixed string. We denote the message 
m concatenated with H{m) by: 

<I>(m) = m II //(m) (11) 

Let a and O) be integers less than n, a the length of message, and % the set of 
messages: 

= {m such that 0 < m < 2“} 

Then, the set of valid messages is: 

%' =■ {ci)<I)(m) + a, with m e '^] 

Example: if co is a power of two, then an element of ' has this form : 



01011 .... 



Message m 



a bits ) 



H(m) ( u bits ) 



...0110 



5.1 H(m) = m (mod 2" + 1) 



We can also write 

m = ^(2“ + 1) + r 

with q the quotient and r the remainder of Euclidean division of m by (2“ + 1). 
Hence 0(w) = [^(2“ + 1) + r] 2“ + r and finally we obtain: 

<&(m) = v<m)(2“+l) 

with 

V<m) = q2‘ + r 

Consequently, a new definition of the set of valid message is possible : 

‘^'= {(a'^rn) + a with m e '?} 

with co' = co(2“ + 1). 

Our attack uses this new definition. 



( 12 ) 

(13) 

(14) 



Attack: 

• Choose a message m of which you want to forge a signature. 

• Set 



= -^[l - (<B V(m) + a)] (mod n) (15) 

• Solve 



(co' v/(m) + a)x = y + z„ (mod n) (16) 

with X and y positive integers less than 2“*“/(2“ + 1) by using algorithm OS. You 
obtain, very often, a solution if the number of bits of the message, a, is upper than 
half of the length of modulus n. 

• By replacing by its expression (15) in the latter equation (16), you can easily 
prove that: 

(co'i^m) + a) (co'x + a) = (co'y + a) (mod n) 

But the definition of function (13), and the fact that <I>(m)<2“*“, imply the 
existence of a message m s.t. \p{m) = t when t is less than 2“*" /(2“ +1). Consequently, 
there are two messages m, and such that \|/(m,) = x and t|/(mj) = y. Finally, if you 










503 



get signatures of m, and (i.e. if you get S((a'y/im^) + a) and + a)), then 

you deduce the signature of m by dividing Sfco'y^m^) + a) by Sfco'v/(m,) + a) modulo 
n. 

5.2 H{m) = m (mod 2" + v) 

Let 

m = 9 ( 2 “ + v) + r (17) 

where q and r are respectively the quotient and the remainder of the Euclidean 
division of m by (2“ + v). Thus: 

d>(/n) = 9 ( 2 “ + v) 2 “ + r( 2 “ + 1 ) (18) 

Given that v ^ 1, it follows that we cannot apply the latter method (5.1) to reduce the 
number of variables. Consequently, we will rather fix the value of either the quotient 
or the remainder. We choose to fix r because its range is shorter than the range of q. 
Hence, the modular redundancy is fixed as well. 

Attack: 

• Choose a message m of which you want to forge a signature. 

• Choose Tj and two positive integers less than 2“ + v. 

• Set 

a, = r,(2“ + l)o} + a 

a, = r,(2‘ + ])(0 + a (19) 

• Solve 

(co<I>(m) + fl) 9 , = 9 j - Zj (mod n) ( 20 ) 

with 9 , and positive integers less than, respectively, ( 2 “ - r,) / ( 2 " + v) and 
(2“- rj)/(2" + v), by using algorithm OS. You obtain, very often, a solution if the 
number of bits of the message, a, minus the number of bits of redundancy, «, is 
upper than half of the length of modulus n. 

• Set 

m, = 9 ,( 2 “ + v) + r, ( 21 ) 

and 

ffij = 9 j(2“ + v) + Tj (22) 

The set of possible values of 9 ,, r,, 9 ^, r^, implies that m, e Af and e M. By 
replacing z„, a,, a^, by their expressions (19) in the solved equation ( 20 ), you obtain, 
after a brief calculation : 

(oo<l>(m) + a) (cod>(m,) + a) = (o)4>(mj) + a) (mod «) 

Finally, you deduce the signature of m by dividing S(t»<l>(mj) + a) by 5(toC)(m,) + a) 
modulo n. 



5.3 H{m) - {m (mod 2“ + v)) 0 Mask 

We denote by Mask a «-bit fixed string and by 0 the function exclusive OR. 




504 



We apply the same method as previously, but we introduce a new function: 
C{r) - rl'^ + (r 0 Mask) 



Thus we obtain: 



(23) 



4>(m) = <?(2“ + v)2" + C(r) (24) 

Since during the development of the attack the two remainders r, and are fixed, 
C(rj) and C{r^ are also fixed and the mask does not generate any extra difficulty. 



Attack: 

• Choose a message m of which you want to forge a signature. 

• Choose r, and two positive integers such that they are less than 2“ + v. 

• Set 



• Solve 






^0 



C(r,)<M + a 



C(rj)aj + a 



(25) 



(MOfm) + a)q^ = - z^(mod n) (26) 

with g, and positive integers less than, respectively, (2“ - r,) / (2“ + v) and 
(2“- rj)/(2“ + v), by using algorithm OS. You obtain, very often, a solution if the 
number of bits of the message, a, minus the number of bits of redundancy, u, is 
upper than half of the length of modulus n. 

• Set 



and 



m, = ^,(2“ + v) + r, 



(27) 



Wj = qp“ + v) + Tj (28) 

The set of possible values of q^, r,. q^, r^, implies that M and e M. By 
replacing a^, a^, by their expressions (25) in the solved equation (26), you obtain, 
after a brief calculation : 

(,(O0(m) + a) (cod>(mj) + a) = (co<t>(m 2 ) + a) (mod n) 

Finally, you deduce the signature of m by dividing S(cod>(mj) + a) by S(co<l>(mj) + a) 
modulo n. 



Remark: since this attack does not depend on the exact expression of C(r), it can be 
performed against any modular redundancy in the form: 

H{m) = H'[m (mod 2“ + v)], for any function H'. 

6 Applications 

We applied our results to a part of the project on digital signature schemes giving 
message recovery ISO/IEC JTC 1/SC 27 [ISO]. It was a Working Draft (WD), i.e. one 
of the first stages of the development of International Standards. After, when the 
working group is satisfied with the specified solution, the next step is the Committee 
Draft (CD), which is submitted to a ballot. Successive Committee Drafts may be 




505 



considered until consensus is reached on the technical content. Once consensus has 
been attained, the text is finalized for submission as a Draft International Standard 
(DIS). Once a DIS has been approved, the final text is published as an International 
Standard (IS). 

Part 2 of this project aims at defining a signature scheme allowing short certificates, 
which is convenient for smart cards. Like ISO/IEC 9796 [ISO], it is supposed to avoid 
the known attacks against RSA [GQLS]. In a particular case, this project uses a 
simplified hash-function H{m) = 2(m (mod 2’®+l)) to define the modular redundancy. 
Structure of a valid message ; 



Adaptation 

bits 


More-data bit 


Padding Field 


Data 

Field 


Check Field 


Adaptation 

nibble 


Fixed: 2 bits 


Fixed: 1 bit 


Variable: 1 or 
more bits 


Variable 


Fixed: 80 bits 


Fixed; 4 bits 


01 


0 


0, 1 or more bits 
set to 0 followed 
by 1 bit set to 1 


Message 


Modular 

redundancy 


0110 



We implemented algorithms OS and EE in C-language on a PC computer to obtain 
our results. With a message m of 384 bits. H(m) = 2(m (mod 2’*+!)), and a 512-bit 
RSA-modulus to define this scheme, we found nearly 40 solutions with algorithm OS 
and nearly 4000 solutions by the means of a simple combination with results of 
algorithm EE. This result can certainly be improved if all possible combinations are 
considered. When the length of message is 425-bit long, we found 60 or so with OS 
and about 8800 with OS combined with EE. 

We have modified the function H{m) to study the efficiency of our algorithm. With 
H{m) = Mask®l{m(smAVH\)) and Masfc = BBBBBBBBBBBBBBBBBBBB, we 
found, when the length of message is 384 bits nearly 16 solutions with OS and nearly 
670 with OS and EE. When the length of message is 425 bits, we found 23 or so with 
OS and about 1720 with OS combined with EE. As previously, the number of 
solutions can certainly be expanded. 

Remark, in the first case, we obtain more solutions than in the second one because the 
redundancy is not fixed. In fact, using H{m) = 2{m (mod 2^®+!)) is like using the 
particular modular redundancy defined in 5.1. Here « = 80 and 
^{m) = [q{2^ +l) + r] 2*“ + 2r 

with q the quotient and r the remainder of Euclidean division of m by (2’^ -i- 1). 
Finally we obtain: 

<P(m) - i//(m)(2*‘’ + 2) with y/(m) = q2^^ + r 
and the attack described in 5.1 can be applied. 

7 How To Defeat This Forgery 

At Eurocrypt'96 Rump Session, we proposed three solutions to repair the previous 
schemes : 

- Introduce the quotient q of Euclidean division of m by (2“ + v) 

H(jn) = rxq (mod 2“ -i- v) 




















506 



This definition of H implies that we cannot isolate q and r in the expression of m 
concatenated with H{m). The principle of our attack cannot be used here. 

- Append to m its remainders modulo two different values, 2^ + v and 2"^ + w with 
V w. Two different moduli increase the link between message and redundancy, there 
is an interdependence between the different quotients and remainders. One of them 
cannot be fixed to use our attack. Simple values can be chosen, e.g. v = -1 and w = 0. 

- Split the message into different parts and keep a simple redundancy. This method 
increases the number of variables and OS cannot be used to solve mx = y (mod n). 
The latter solution is used in ISO/IEC 9796-3 [IS03], Working Draft, December 
1996, which replaces ISO/IEC JTC 1/SC 27 [ISO]. 

Remark: one of the authors has recently discovered a multiplicative attack using lattice 
basis reduction and only the first solution is valid. 

8 Conclusion 

We have shown the weakness of many attractive redundancy functions for the purpose 
of RSA digital signatures. We successfully applied our attack to an ISO Working 
Draft [ISO] and a modified version using a redundancy function with mask. Thus, we 
showed that some redundancy function may be inappropriate, even when it is 
message-dependent and even when it involves non-arithmetic operations. Afterwards, 
we have proposed new redundancy functions, which apparently cannot be attacked by 
our techniques. Nevertheless a further research showed that two of them can be 
attacked by a LLL-based method. 

Acknowledgments 

We would like to thank Louis Guillou for many fruitful discussions about RSA 
signature schemes and for stimulating this research. We are grateful to Luc Vallde for 
help on the C-language and for lending of his big number library. We also thank the 
referees for their useful comments on the previous version of the paper, which helped 
improve the quality of this paper. 

References 

[BR] M. Bellare, P. Rogaway, "The Exact Security of Digital Signatures - 

How to Sign with RSA and Rabin", Eurocrypt'96 Proceedings, Lecture 
Notes In Computer Science, Vol.1070, U. Maurer ed., Springer-Verlag, 
1996. 

[DJC] W. De Jonge, D. Chaum, "Attacks on some RSA Signatures", Advances 

in Cryptology, Crypto'85 Proceedings, Lecture Notes In Computer 
Science, Vol.218, Springer-Verlag, Berlin, 1986, pp. 18-27. 

[GQLS] L.C. Guillou, J.J. Quisquater, P. Landrock, C. Shaer, "Precautions taken 
against various potential attacks in ISO/IEC DIS 9796, Digital signature 
scheme giving message recovery", Eurocrypt'90 Proceedings, Lecture 
Notes in Computer Science, Vol.473, Springer-Verlag, pp 465-473. 




507 



[GTV] M. Girault, P. Toffin, B. Vallee. "Computation of approximation L-th 
roots modulo n and application to cryptography", Proc. of Crypto'88, 
LNCS 403, Springer-Verlag, 1988, pp. 100-1 17. 

[ISO] ISO/IEC JTC 1/SC 27, "Digital signature schemes giving message 

recovery; Part 2: Mechanisms using a hash function". Working Draft, 
January 1996. 

[ISOl] ISO/IEC 9796-1, "Digital signature schemes giving message recovery; 
Part 1: Mechanisms using redundancy". 

[IS02] ISO/IEC 9796-2, "Digital signature schemes giving message recovery; 

Part 2: Mechanisms using a hash- function". 

[IS03] ISO/IEC 9796-3, "Digital signature schemes giving message recovery; 

Part 3: Mechanisms using a check-function". 

[OS] T. Okamoto and A. Shiraishi, "A fast signature scheme based on 

quadratic inequalities", Proc. of the 1985 Symposium on Security and 
Privacy, Apr. 1985, Oakland. CA. 

[RSA] R.L. Rivest, A. Shamir and L. Adleman, "A method for obtaining digital 
signatures and public-key cryptosystems", CACM, Vol. 21, n°2, Feb. 
1978, pp. 120-126. 




Author Index 



Ross Anderson 134 

Niko Baric 480 

Mihir Bellare 163, 280 

Dan Boneh 37 

Johan Borst 1 

Antoon Bosselaers 348 

Stefan Brands 318 

Gilles Brassard 334 

Christian Cachin 193 

Jan Camenisch 465 

Claude Carlet 422 

Don Coppersmith 52 

Ronald Cramer 75, 103 

Claude Crepeau 306, 334 

Ivan DamgSrd 75 

Richard A. DeMillo 37 

Marc Fischlin 393 

Roger Fischlin 267 

Rosario Gennaro 103 

Marc Girault 495 

Jovan Dj. Golic 226,239 

Rene Govaerts 348 

Markus Jakobsson 280, 450 

Thomas Johansson 149, 409 

Lars R. Knudsen 1 

Kaoru Kurosawa 409, 434 



Reynald Lercier 379 

Richard J. Lipton 37 

Ueli Maurer 209 

Daniele Micciancio 163 

Jean-Frangois Misarsky 495 

David Naccache 27 

Christof Paar 363 

Birgit Pfitzmann 88, 480 

Vincent Rijmen 1 

Michael Roe 134 

Takashi Satoh 434 

Claus Schnorr 267 

Berry Schoenmakers 103 

Adi Shamir 52 

Victor Shoup 256 

Pedro Soria-Rodriguez 363 

Jacques Stem 27 

Douglas Stinson 409 

Henk C.A. van Tilborg 1 19 

Joos Vandewalle 348 

Eric R. Verheul 1 19 

Michael Waidner 88 

Adam Young 62 

Moti Yung 62, 280, 450 

Thilo Zieschang 14 




